d174449b3ecc2bf75ad9aac6888549dadc76a0f8026d32cd660e410f1e2e1ce9

Analysis

max time kernel
173s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
Size

72KB
MD5

07f00d3cdf1719b3b12c6cc33de69ea0
SHA1

de6342c8a9347d985f26009a459c99a35a5d301a
SHA256

d174449b3ecc2bf75ad9aac6888549dadc76a0f8026d32cd660e410f1e2e1ce9
SHA512

17bc0d9d555a1364ec3574ecbfb91de845969d81622031e7d527551544ae3becbf90fc889c88a85388f64a7a7e0ca19719b4e124a65b62dc24972b69c9842dc9
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyv5:HeT7BVwxfvqguKRFA0

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2172	backup.exe
2652	backup.exe
2872	update.exe
2524	backup.exe
2612	backup.exe
2564	backup.exe
2244	data.exe
596	backup.exe
2676	backup.exe
292	data.exe
2012	backup.exe
804	backup.exe
2484	backup.exe
1588	backup.exe
2984	backup.exe
2760	backup.exe
2448	backup.exe
2192	backup.exe
1544	update.exe
1304	backup.exe
1620	backup.exe
1832	backup.exe
340	backup.exe
2320	backup.exe
1716	backup.exe
992	backup.exe
2200	backup.exe
1984	backup.exe
1384	backup.exe
2908	backup.exe
1008	backup.exe
2936	backup.exe
2700	backup.exe
2724	backup.exe
2652	backup.exe
1532	backup.exe
2664	backup.exe
2508	backup.exe
2620	backup.exe
2564	data.exe
1476	backup.exe
476	System Restore.exe
2828	backup.exe
1924	backup.exe
1960	backup.exe
1912	backup.exe
2032	backup.exe
1760	backup.exe
2808	update.exe
1964	update.exe
540	backup.exe
2964	backup.exe
2812	backup.exe
2344	backup.exe
2328	backup.exe
2204	backup.exe
3064	backup.exe
1176	backup.exe
2224	backup.exe
1544	backup.exe
1972	backup.exe
632	backup.exe
332	backup.exe
2068	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2872	update.exe
2872	update.exe
2872	update.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
596	backup.exe
596	backup.exe
2676	backup.exe
2676	backup.exe
596	backup.exe
596	backup.exe
2012	backup.exe
2012	backup.exe
804	backup.exe
804	backup.exe
2012	backup.exe
2012	backup.exe
1588	backup.exe
1588	backup.exe
2984	backup.exe
2984	backup.exe
2984	backup.exe
2984	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
1544	update.exe
1544	update.exe
1544	update.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
2448	backup.exe
1384	backup.exe
1384	backup.exe
1384	backup.exe
1384	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
2172	backup.exe
2652	backup.exe
2872	update.exe
2524	backup.exe
2612	backup.exe
2564	backup.exe
2244	data.exe
596	backup.exe
2676	backup.exe
292	data.exe
2012	backup.exe
804	backup.exe
2484	backup.exe
1588	backup.exe
2984	backup.exe
2760	backup.exe
2448	backup.exe
2192	backup.exe
1544	update.exe
1304	backup.exe
1620	backup.exe
1832	backup.exe
340	backup.exe
2320	backup.exe
1716	backup.exe
992	backup.exe
2200	backup.exe
1984	backup.exe
1384	backup.exe
2908	backup.exe
1008	backup.exe
2936	backup.exe
2700	backup.exe
2724	backup.exe
2652	backup.exe
1532	backup.exe
2664	backup.exe
2508	backup.exe
2620	backup.exe
2564	data.exe
1476	backup.exe
476	System Restore.exe
2828	backup.exe
1924	backup.exe
1960	backup.exe
1912	backup.exe
2032	backup.exe
1760	backup.exe
2808	update.exe
540	backup.exe
1964	update.exe
2812	backup.exe
2964	backup.exe
2344	backup.exe
2328	backup.exe
2204	backup.exe
3064	backup.exe
1176	backup.exe
2224	backup.exe
1544	backup.exe
1972	backup.exe
332	backup.exe
2068	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2172	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	29
PID 2084 wrote to memory of 2172	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	29
PID 2084 wrote to memory of 2172	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	29
PID 2084 wrote to memory of 2172	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	29
PID 2084 wrote to memory of 2652	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	30
PID 2084 wrote to memory of 2652	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	30
PID 2084 wrote to memory of 2652	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	30
PID 2084 wrote to memory of 2652	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	30
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2872	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	31
PID 2084 wrote to memory of 2524	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	32
PID 2084 wrote to memory of 2524	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	32
PID 2084 wrote to memory of 2524	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	32
PID 2084 wrote to memory of 2524	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	32
PID 2084 wrote to memory of 2612	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	33
PID 2084 wrote to memory of 2612	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	33
PID 2084 wrote to memory of 2612	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	33
PID 2084 wrote to memory of 2612	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	33
PID 2084 wrote to memory of 2564	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	34
PID 2084 wrote to memory of 2564	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	34
PID 2084 wrote to memory of 2564	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	34
PID 2084 wrote to memory of 2564	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	34
PID 2084 wrote to memory of 2244	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	35
PID 2084 wrote to memory of 2244	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	35
PID 2084 wrote to memory of 2244	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	35
PID 2084 wrote to memory of 2244	2084	NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe	35
PID 2172 wrote to memory of 596	2172	backup.exe	36
PID 2172 wrote to memory of 596	2172	backup.exe	36
PID 2172 wrote to memory of 596	2172	backup.exe	36
PID 2172 wrote to memory of 596	2172	backup.exe	36
PID 596 wrote to memory of 2676	596	backup.exe	37
PID 596 wrote to memory of 2676	596	backup.exe	37
PID 596 wrote to memory of 2676	596	backup.exe	37
PID 596 wrote to memory of 2676	596	backup.exe	37
PID 2676 wrote to memory of 292	2676	backup.exe	38
PID 2676 wrote to memory of 292	2676	backup.exe	38
PID 2676 wrote to memory of 292	2676	backup.exe	38
PID 2676 wrote to memory of 292	2676	backup.exe	38
PID 596 wrote to memory of 2012	596	backup.exe	39
PID 596 wrote to memory of 2012	596	backup.exe	39
PID 596 wrote to memory of 2012	596	backup.exe	39
PID 596 wrote to memory of 2012	596	backup.exe	39
PID 2012 wrote to memory of 804	2012	backup.exe	40
PID 2012 wrote to memory of 804	2012	backup.exe	40
PID 2012 wrote to memory of 804	2012	backup.exe	40
PID 2012 wrote to memory of 804	2012	backup.exe	40
PID 804 wrote to memory of 2484	804	backup.exe	41
PID 804 wrote to memory of 2484	804	backup.exe	41
PID 804 wrote to memory of 2484	804	backup.exe	41
PID 804 wrote to memory of 2484	804	backup.exe	41
PID 2012 wrote to memory of 1588	2012	backup.exe	42
PID 2012 wrote to memory of 1588	2012	backup.exe	42
PID 2012 wrote to memory of 1588	2012	backup.exe	42
PID 2012 wrote to memory of 1588	2012	backup.exe	42
PID 1588 wrote to memory of 2984	1588	backup.exe	43
PID 1588 wrote to memory of 2984	1588	backup.exe	43
PID 1588 wrote to memory of 2984	1588	backup.exe	43
PID 1588 wrote to memory of 2984	1588	backup.exe	43
PID 2984 wrote to memory of 2760	2984	backup.exe	44

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.07f00d3cdf1719b3b12c6cc33de69ea0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\2626857801\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2626857801\backup.exe C:\Users\Admin\AppData\Local\Temp\2626857801\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2172
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\PerfLogs\Admin\data.exe
        
        C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2012
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2484
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2984
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        System policy modification
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        System policy modification
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        System policy modification
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2128
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:2816
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2536
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2404
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2068
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1916
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2140
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2036
        
        C:\Program Files\Common Files\System\ado\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1608
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:320
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:992
        
        C:\Program Files\Common Files\System\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\de-DE\update.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1220
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2176
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2964
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1124
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2940
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2648
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1208
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2204
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:292
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2280
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1172
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2868
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1300
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1684
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:940
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1700
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2512
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:2888
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2752
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:1368
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2292
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1892
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2584
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2284
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2136
      - C:\Program Files\Internet Explorer\fr-FR\update.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1756
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:960
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2468
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2828
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2836
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1000
      - C:\Program Files\Java\jre7\data.exe
        
        "C:\Program Files\Java\jre7\data.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2264
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2036
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:836
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2968
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:3056
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2480
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1964
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2964
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:2792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:2976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1960
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2260
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1308
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1936
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1980
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:3008
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1904
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2116
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1192
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1736
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1584
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2212
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1220
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2696
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1268
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1744
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1164
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2396
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2508
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3000
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1948
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1988
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2992
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1984
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2804
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2068
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2796
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2360
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2720
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:944
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:2452
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2608
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2732
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3032
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:768
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1988
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2632
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      System policy modification
      PID:568
    - - C:\Windows\addins\System Restore.exe
        
        "C:\Windows\addins\System Restore.exe" C:\Windows\addins\
        5⤵
        
        PID:1900
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1952
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2092
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2504
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2536
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1060
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
12b9a98ad9bc8fcb4c9e50b6ce0821f0

SHA1
38638282fac91bf6f6035c97cca9baba29a6c557

SHA256
408bddea0470b5ede22844cd18235d1157c430acf042e25113035252efa121db

SHA512
6e155855eac29c16bba35d42921627d0fb33f70546ba9f3c974bbc6822b5cb6ae7e93b1333c3bedb474887b80e2381c3d342c415791c015d06e051bf76abd963

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9c6cd2d9cf5fb52cf370a9ed992608a8

SHA1
9de5b8d363399a3a130451a3a910abfc84aca6f7

SHA256
ce0de3e7164851c4a3569089b86e8e64cd494b8dd4c9d08906bede074bdb9e7f

SHA512
281eeeef51e019801a2fe9e6cddc9b184ac1197976213e56c62b0e6ca460a38ddea6112a4036325e3999bc13ae58edc5405aa0a61a71b5df8b6566d05a41f534

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9c6cd2d9cf5fb52cf370a9ed992608a8

SHA1
9de5b8d363399a3a130451a3a910abfc84aca6f7

SHA256
ce0de3e7164851c4a3569089b86e8e64cd494b8dd4c9d08906bede074bdb9e7f

SHA512
281eeeef51e019801a2fe9e6cddc9b184ac1197976213e56c62b0e6ca460a38ddea6112a4036325e3999bc13ae58edc5405aa0a61a71b5df8b6566d05a41f534

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5b29d7320ed08cfc30574894c926f442

SHA1
56c6d0fa3bbc33eeaad58e76ff90f572b87de302

SHA256
03608739b1eaa9daaf3b9742398d9abbe95c099cd7c5c7fa7cbb9303ea325fac

SHA512
696c9f069aeecd7824527cb83bf4dbb7af4d05e3848681fa48a579d4fc9361faa44da13bad967a3a0fa692053b8b5d9a32487d553fad75ae047618e10fa92d7f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3cf0e52d804a1066e99fbd2e765dc3d4

SHA1
6ce726760090d9ca132d3179b181b0b08ac0037d

SHA256
cccf75d78d0bdbd4a9dd0216edf7c5fd8d5a19a363943dcd75cc2247397aa2e0

SHA512
2db46a57d9cc83db9130b84c445b89ac4f8ba8b7bde532081c5f41166cfe9a463c05c751fba375457e10285190a3ce5bab2e595ed4d196302a340f2f461fc330

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3cf0e52d804a1066e99fbd2e765dc3d4

SHA1
6ce726760090d9ca132d3179b181b0b08ac0037d

SHA256
cccf75d78d0bdbd4a9dd0216edf7c5fd8d5a19a363943dcd75cc2247397aa2e0

SHA512
2db46a57d9cc83db9130b84c445b89ac4f8ba8b7bde532081c5f41166cfe9a463c05c751fba375457e10285190a3ce5bab2e595ed4d196302a340f2f461fc330

Download Submit
C:\Users\Admin\AppData\Local\Temp\2626857801\backup.exe

Filesize
72KB

MD5
55dc7c2505d04e76de46a2b2664a9932

SHA1
3d6f5893f81f9a69d931a120aa35f08bab959b02

SHA256
24986796ee7609c87f0a86523f64174dba9836176e3268c2793c614902213d6f

SHA512
62c8cc8607531d12523825d4f4de240472e8aa40ae4bc93c5fc67b815f5b183becf0dba813d6daaa005ab21a2e5477baaf694cc0dbac16d0d01ac9cf847d68a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2626857801\backup.exe

Filesize
72KB

MD5
55dc7c2505d04e76de46a2b2664a9932

SHA1
3d6f5893f81f9a69d931a120aa35f08bab959b02

SHA256
24986796ee7609c87f0a86523f64174dba9836176e3268c2793c614902213d6f

SHA512
62c8cc8607531d12523825d4f4de240472e8aa40ae4bc93c5fc67b815f5b183becf0dba813d6daaa005ab21a2e5477baaf694cc0dbac16d0d01ac9cf847d68a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2626857801\backup.exe

Filesize
72KB

MD5
55dc7c2505d04e76de46a2b2664a9932

SHA1
3d6f5893f81f9a69d931a120aa35f08bab959b02

SHA256
24986796ee7609c87f0a86523f64174dba9836176e3268c2793c614902213d6f

SHA512
62c8cc8607531d12523825d4f4de240472e8aa40ae4bc93c5fc67b815f5b183becf0dba813d6daaa005ab21a2e5477baaf694cc0dbac16d0d01ac9cf847d68a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
4f4844c0109ea25c01edc9784d85c793

SHA1
b19d33bef94a4d1cee3aa5bda7f2b97f9e2de089

SHA256
843953d04b1254246b19d141a74379b2d2384a362044d2282f00c00655ef2c36

SHA512
06375a3b20b57de09d8906bae36d70a9465c2a6c8ceadc1b69f93fae6bb926d0a4ed12f03c15fbed894d880164a95459c86f5260cbff638a1b8765aeea235147

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
2be33d63ba97cd2f8962c0153eb316d8

SHA1
63c1b034024ac328bb6d6a605d97c26dcf5abdb7

SHA256
933790628e012fe052eacb38c29e0c3fa34b84395e5c944658bdf665c59eac1f

SHA512
a933ab7f5f0e0ce12461617ab145a6091419e059bd45fd6ac6fb26eed88b382db3e67715be8720c2b71014279026c7bc13fa15cd0e87124529bfb5cc1ba0fa3d

Download Submit
C:\backup.exe

Filesize
72KB

MD5
2be33d63ba97cd2f8962c0153eb316d8

SHA1
63c1b034024ac328bb6d6a605d97c26dcf5abdb7

SHA256
933790628e012fe052eacb38c29e0c3fa34b84395e5c944658bdf665c59eac1f

SHA512
a933ab7f5f0e0ce12461617ab145a6091419e059bd45fd6ac6fb26eed88b382db3e67715be8720c2b71014279026c7bc13fa15cd0e87124529bfb5cc1ba0fa3d

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
12b9a98ad9bc8fcb4c9e50b6ce0821f0

SHA1
38638282fac91bf6f6035c97cca9baba29a6c557

SHA256
408bddea0470b5ede22844cd18235d1157c430acf042e25113035252efa121db

SHA512
6e155855eac29c16bba35d42921627d0fb33f70546ba9f3c974bbc6822b5cb6ae7e93b1333c3bedb474887b80e2381c3d342c415791c015d06e051bf76abd963

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
12b9a98ad9bc8fcb4c9e50b6ce0821f0

SHA1
38638282fac91bf6f6035c97cca9baba29a6c557

SHA256
408bddea0470b5ede22844cd18235d1157c430acf042e25113035252efa121db

SHA512
6e155855eac29c16bba35d42921627d0fb33f70546ba9f3c974bbc6822b5cb6ae7e93b1333c3bedb474887b80e2381c3d342c415791c015d06e051bf76abd963

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
9c6cd2d9cf5fb52cf370a9ed992608a8

SHA1
9de5b8d363399a3a130451a3a910abfc84aca6f7

SHA256
ce0de3e7164851c4a3569089b86e8e64cd494b8dd4c9d08906bede074bdb9e7f

SHA512
281eeeef51e019801a2fe9e6cddc9b184ac1197976213e56c62b0e6ca460a38ddea6112a4036325e3999bc13ae58edc5405aa0a61a71b5df8b6566d05a41f534

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
9c6cd2d9cf5fb52cf370a9ed992608a8

SHA1
9de5b8d363399a3a130451a3a910abfc84aca6f7

SHA256
ce0de3e7164851c4a3569089b86e8e64cd494b8dd4c9d08906bede074bdb9e7f

SHA512
281eeeef51e019801a2fe9e6cddc9b184ac1197976213e56c62b0e6ca460a38ddea6112a4036325e3999bc13ae58edc5405aa0a61a71b5df8b6566d05a41f534

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e6ad39e39f9ed84bec95350851db7cd8

SHA1
1bcbd5044c50b60e2fa113d8486f867f49da6005

SHA256
a6731c17b4782e2b180658fa0b6ee32129951761b7692495b1eeead226089750

SHA512
2859bbd7a0027b48a2d87111a35166cee44e34c54012fde2f069a599306bf9d675f4aaf968216cc88beaed424f853e951245ae9c7472a750068616f7cc5cf13e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5b29d7320ed08cfc30574894c926f442

SHA1
56c6d0fa3bbc33eeaad58e76ff90f572b87de302

SHA256
03608739b1eaa9daaf3b9742398d9abbe95c099cd7c5c7fa7cbb9303ea325fac

SHA512
696c9f069aeecd7824527cb83bf4dbb7af4d05e3848681fa48a579d4fc9361faa44da13bad967a3a0fa692053b8b5d9a32487d553fad75ae047618e10fa92d7f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5b29d7320ed08cfc30574894c926f442

SHA1
56c6d0fa3bbc33eeaad58e76ff90f572b87de302

SHA256
03608739b1eaa9daaf3b9742398d9abbe95c099cd7c5c7fa7cbb9303ea325fac

SHA512
696c9f069aeecd7824527cb83bf4dbb7af4d05e3848681fa48a579d4fc9361faa44da13bad967a3a0fa692053b8b5d9a32487d553fad75ae047618e10fa92d7f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
eba462654a3d3b8800d1c1bb88f5f345

SHA1
55b9d43e75f46e104d93710b8d7f220f61ee493b

SHA256
91dc8eec9f932f17492e1befec9ba1060ad648e203eba16bf1f0d075d554f400

SHA512
ffed4cf5c117411dd918f292024b4d626fc241197f8d9229c77723090b489f719f61c39df71577118cf726b0dadc7c9f9858b832de95156e5fb41703564e26f9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe

Filesize
72KB

MD5
5b29d7320ed08cfc30574894c926f442

SHA1
56c6d0fa3bbc33eeaad58e76ff90f572b87de302

SHA256
03608739b1eaa9daaf3b9742398d9abbe95c099cd7c5c7fa7cbb9303ea325fac

SHA512
696c9f069aeecd7824527cb83bf4dbb7af4d05e3848681fa48a579d4fc9361faa44da13bad967a3a0fa692053b8b5d9a32487d553fad75ae047618e10fa92d7f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cfd808c2eb3ec57639c70e49fe754a7

SHA1
32d292c69b4f6b5015c87d5121a454843fbd4a90

SHA256
5bb2175c0b320730dfa9f96e8452b1548a25d8623de5902245c136404e55f4c5

SHA512
a80090d52890c8f95d9e4cf202802371376862664068158f7729c8dcce3d6967ac2e537be9c5b205b2e3038480a6ce3afdf4519984108086db11a5f31e8b3cbd

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3cf0e52d804a1066e99fbd2e765dc3d4

SHA1
6ce726760090d9ca132d3179b181b0b08ac0037d

SHA256
cccf75d78d0bdbd4a9dd0216edf7c5fd8d5a19a363943dcd75cc2247397aa2e0

SHA512
2db46a57d9cc83db9130b84c445b89ac4f8ba8b7bde532081c5f41166cfe9a463c05c751fba375457e10285190a3ce5bab2e595ed4d196302a340f2f461fc330

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3cf0e52d804a1066e99fbd2e765dc3d4

SHA1
6ce726760090d9ca132d3179b181b0b08ac0037d

SHA256
cccf75d78d0bdbd4a9dd0216edf7c5fd8d5a19a363943dcd75cc2247397aa2e0

SHA512
2db46a57d9cc83db9130b84c445b89ac4f8ba8b7bde532081c5f41166cfe9a463c05c751fba375457e10285190a3ce5bab2e595ed4d196302a340f2f461fc330

Download Submit
\Users\Admin\AppData\Local\Temp\2626857801\backup.exe

Filesize
72KB

MD5
55dc7c2505d04e76de46a2b2664a9932

SHA1
3d6f5893f81f9a69d931a120aa35f08bab959b02

SHA256
24986796ee7609c87f0a86523f64174dba9836176e3268c2793c614902213d6f

SHA512
62c8cc8607531d12523825d4f4de240472e8aa40ae4bc93c5fc67b815f5b183becf0dba813d6daaa005ab21a2e5477baaf694cc0dbac16d0d01ac9cf847d68a8

Download Submit
\Users\Admin\AppData\Local\Temp\2626857801\backup.exe

Filesize
72KB

MD5
55dc7c2505d04e76de46a2b2664a9932

SHA1
3d6f5893f81f9a69d931a120aa35f08bab959b02

SHA256
24986796ee7609c87f0a86523f64174dba9836176e3268c2793c614902213d6f

SHA512
62c8cc8607531d12523825d4f4de240472e8aa40ae4bc93c5fc67b815f5b183becf0dba813d6daaa005ab21a2e5477baaf694cc0dbac16d0d01ac9cf847d68a8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce621ba16ba03e4c246a678a309ca141

SHA1
d12da35ada2c28409419d093f9907be66ce7455b

SHA256
0d77dde4d6c074df583b02b3f5b19675213b1fc00d37ad5a6cbfa694837a4a18

SHA512
4c9986cdec9b279b2de97c93a405e75555b7f574747ba39d049f1d31b1c00ec54502f17112f2636cd0417fc41e583735dcaedaed87717debbd47092006225dc6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0bc35d185ad24ec1a9b543ac6704b17a

SHA1
bd9c50b9e7c6c55589d885771226fce040132570

SHA256
45687a710f5fc2f018ecb4cd420537ea2e379ba3048cd688615fbe268e2d46b3

SHA512
5da0c5b4c9e8be3130712d320d8fa8be86ec245105df740d6bb7b835d38859221b9722b3737cb4641d89a9f40c16bc1debbdaa0b862368f3db21d402ad2a54ed

Download Submit
memory/2084-115-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads