a25098ec7df7387fddee5de460c08e3eab42363f5c76c971dd84a8f777124629

Analysis

max time kernel
42s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
Size

72KB
MD5

67f1a446b6db7f959b0e760e5df9e830
SHA1

0c62504bcd3171143b46f3b52fcbe1b0cc49319a
SHA256

a25098ec7df7387fddee5de460c08e3eab42363f5c76c971dd84a8f777124629
SHA512

9deeb1096f3367ca9aa40cf6733eb4ce7417c315c3fc85c1535357bdac7e192434545f6f3cfbd994e06856efa61b39cdc59ea3f350a4ccd7d6fc3f332f4391ba
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGh:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRr0

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3016	backup.exe
2172	backup.exe
2652	backup.exe
2720	backup.exe
2792	update.exe
2932	backup.exe
2576	System Restore.exe
1944	backup.exe
1976	backup.exe
2928	backup.exe
2492	System Restore.exe
2584	backup.exe
896	backup.exe
780	backup.exe
1640	backup.exe
668	backup.exe
2620	backup.exe
1488	data.exe
2112	backup.exe
2364	backup.exe
1744	backup.exe
1552	backup.exe
1428	backup.exe
1956	backup.exe
784	backup.exe
1876	backup.exe
2388	backup.exe
2452	backup.exe
1156	backup.exe
1520	backup.exe
1728	backup.exe
1596	backup.exe
1588	backup.exe
1368	backup.exe
2208	backup.exe
2664	backup.exe
2952	backup.exe
2720	backup.exe
2556	backup.exe
2856	backup.exe
1792	backup.exe
2764	backup.exe
2360	backup.exe
1704	backup.exe
2836	backup.exe
2752	backup.exe
2000	backup.exe
824	backup.exe
760	backup.exe
2040	backup.exe
2844	update.exe
2888	backup.exe
2880	backup.exe
1972	backup.exe
2176	backup.exe
1020	backup.exe
1260	backup.exe
2976	backup.exe
2020	backup.exe
2708	backup.exe
2028	backup.exe
2348	update.exe
2424	data.exe
1348	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2792	update.exe
2792	update.exe
2792	update.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
1944	backup.exe
1944	backup.exe
1976	backup.exe
1976	backup.exe
1944	backup.exe
1944	backup.exe
2492	System Restore.exe
2492	System Restore.exe
2584	backup.exe
2584	backup.exe
2492	System Restore.exe
2492	System Restore.exe
780	backup.exe
780	backup.exe
1640	backup.exe
1640	backup.exe
1640	backup.exe
1640	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
2620	backup.exe
1944	backup.exe
1640	backup.exe
1640	backup.exe
1944	backup.exe
780	backup.exe
2620	backup.exe
2620	backup.exe
780	backup.exe
2492	System Restore.exe
2492	System Restore.exe
1428	backup.exe
1428	backup.exe
1552	backup.exe
1552	backup.exe
780	backup.exe
780	backup.exe
2620	backup.exe
2620	backup.exe
1876	backup.exe
1876	backup.exe
2620	backup.exe
1552	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
3016	backup.exe
2172	backup.exe
2652	backup.exe
2720	backup.exe
2792	update.exe
2932	backup.exe
2576	System Restore.exe
1944	backup.exe
1976	backup.exe
2928	backup.exe
2492	System Restore.exe
2584	backup.exe
896	backup.exe
780	backup.exe
1640	backup.exe
668	backup.exe
2620	backup.exe
1488	data.exe
2112	backup.exe
2364	backup.exe
1744	backup.exe
1428	backup.exe
1552	backup.exe
784	backup.exe
1956	backup.exe
1876	backup.exe
1520	backup.exe
2388	backup.exe
2452	backup.exe
1156	backup.exe
1728	backup.exe
1588	backup.exe
1596	backup.exe
1368	backup.exe
2208	backup.exe
2664	backup.exe
2952	backup.exe
2556	backup.exe
2720	backup.exe
2856	backup.exe
1792	backup.exe
2764	backup.exe
2360	backup.exe
1704	backup.exe
2752	backup.exe
2000	backup.exe
824	backup.exe
760	backup.exe
2040	backup.exe
2880	backup.exe
2888	backup.exe
2844	update.exe
2836	backup.exe
1972	backup.exe
1020	backup.exe
2176	backup.exe
1260	backup.exe
2976	backup.exe
2020	backup.exe
2348	update.exe
2708	backup.exe
1348	backup.exe
1932	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3016	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	28
PID 2440 wrote to memory of 3016	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	28
PID 2440 wrote to memory of 3016	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	28
PID 2440 wrote to memory of 3016	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	28
PID 2440 wrote to memory of 2172	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	29
PID 2440 wrote to memory of 2172	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	29
PID 2440 wrote to memory of 2172	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	29
PID 2440 wrote to memory of 2172	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	29
PID 2440 wrote to memory of 2652	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	30
PID 2440 wrote to memory of 2652	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	30
PID 2440 wrote to memory of 2652	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	30
PID 2440 wrote to memory of 2652	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	30
PID 2440 wrote to memory of 2720	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	31
PID 2440 wrote to memory of 2720	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	31
PID 2440 wrote to memory of 2720	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	31
PID 2440 wrote to memory of 2720	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	31
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2792	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	32
PID 2440 wrote to memory of 2932	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	33
PID 2440 wrote to memory of 2932	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	33
PID 2440 wrote to memory of 2932	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	33
PID 2440 wrote to memory of 2932	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	33
PID 2440 wrote to memory of 2576	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	34
PID 2440 wrote to memory of 2576	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	34
PID 2440 wrote to memory of 2576	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	34
PID 2440 wrote to memory of 2576	2440	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe	34
PID 3016 wrote to memory of 1944	3016	backup.exe	35
PID 3016 wrote to memory of 1944	3016	backup.exe	35
PID 3016 wrote to memory of 1944	3016	backup.exe	35
PID 3016 wrote to memory of 1944	3016	backup.exe	35
PID 1944 wrote to memory of 1976	1944	backup.exe	36
PID 1944 wrote to memory of 1976	1944	backup.exe	36
PID 1944 wrote to memory of 1976	1944	backup.exe	36
PID 1944 wrote to memory of 1976	1944	backup.exe	36
PID 1976 wrote to memory of 2928	1976	backup.exe	37
PID 1976 wrote to memory of 2928	1976	backup.exe	37
PID 1976 wrote to memory of 2928	1976	backup.exe	37
PID 1976 wrote to memory of 2928	1976	backup.exe	37
PID 1944 wrote to memory of 2492	1944	backup.exe	38
PID 1944 wrote to memory of 2492	1944	backup.exe	38
PID 1944 wrote to memory of 2492	1944	backup.exe	38
PID 1944 wrote to memory of 2492	1944	backup.exe	38
PID 2492 wrote to memory of 2584	2492	System Restore.exe	39
PID 2492 wrote to memory of 2584	2492	System Restore.exe	39
PID 2492 wrote to memory of 2584	2492	System Restore.exe	39
PID 2492 wrote to memory of 2584	2492	System Restore.exe	39
PID 2584 wrote to memory of 896	2584	backup.exe	40
PID 2584 wrote to memory of 896	2584	backup.exe	40
PID 2584 wrote to memory of 896	2584	backup.exe	40
PID 2584 wrote to memory of 896	2584	backup.exe	40
PID 2492 wrote to memory of 780	2492	System Restore.exe	41
PID 2492 wrote to memory of 780	2492	System Restore.exe	41
PID 2492 wrote to memory of 780	2492	System Restore.exe	41
PID 2492 wrote to memory of 780	2492	System Restore.exe	41
PID 780 wrote to memory of 1640	780	backup.exe	42
PID 780 wrote to memory of 1640	780	backup.exe	42
PID 780 wrote to memory of 1640	780	backup.exe	42
PID 780 wrote to memory of 1640	780	backup.exe	42
PID 1640 wrote to memory of 668	1640	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.67f1a446b6db7f959b0e760e5df9e830.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.67f1a446b6db7f959b0e760e5df9e830.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440
- C:\Users\Admin\AppData\Local\Temp\2188647766\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2188647766\backup.exe C:\Users\Admin\AppData\Local\Temp\2188647766\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3016
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2928
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2492
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2584
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:780
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2348
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        System policy modification
        
        PID:2108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:2504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:2532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2356
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:2660
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2316
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2676
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2116
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2768
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:784
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2720
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2764
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2836
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2140
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2088
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2496
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2724
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2452
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:396
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1156
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1164
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1520
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2068
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:996
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1908
        
        C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2260
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2208
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2856
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2040
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:2624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:3020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1752
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2968
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:704
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2376
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1928
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2832
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:592
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2348
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2120
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:552
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:3052
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2972
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2524
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2660
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2692
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1428
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2388
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2228
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2024
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2428
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1380
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2580
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2116
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1348
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:2864
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1100
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:708
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1080
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:620
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:812
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2124
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1864
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:708
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:2884
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1368
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:472
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1516
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2324
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2716
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2364
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\data.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1868
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:2932
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:2384
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:2172
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2268
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2816
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\
        7⤵
        
        PID:568
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2876
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1308
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:2792
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2516
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:1696
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2404
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:984
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1692
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2552
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1484
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:980
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1676
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:2880
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:1300
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2228
        
        C:\Windows\assembly\GAC\Extensibility\System Restore.exe
        
        "C:\Windows\assembly\GAC\Extensibility\System Restore.exe" C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:1732
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2176
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:3060
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1812
    - - C:\Windows\CSC\update.exe
        
        C:\Windows\CSC\update.exe C:\Windows\CSC\
        5⤵
        
        PID:1780
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2840
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1195b1a6e0ec5f4a1123332e3c974c44

SHA1
501a60cc4e31f5ba94063a88cebf67b737a41ac4

SHA256
6e57bab1885a91e9ef82792958fcdaac2e664296c47279040edd64a69a2ca637

SHA512
1c6b5a789d921bdaa011c80dd07ff3260894da48f59d65272a3dbcfbc3e4923fd8160e9e957e8e1eebf5a2a765adfd8036926150d45f3ff6149e60c07a26d000

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
e1b03d5d4ff153588ab2085d407c6cae

SHA1
5a869ad3555422695459418b775f1a5f9895eddf

SHA256
701a0e182c8c88c9e1d3e1dd1fb1ab7afdd0d57ceedbfab9ebf815f2151bacce

SHA512
eeae20eba5958e8649874838022eb551cdd35caf466786e445bbaa17e967c5a9b7d7f69073c7437a5e7c7543f1d60caa36bbfa93edcc4252a5f44e5e3d5f7f55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0d24a86bcaa1eaea8f75a57da97b8cbf

SHA1
6220d514748052cf93cd9865c22cdd54e1d0729e

SHA256
9fe5f1de251e548df4ad5be439b5f4709941eee5e29b1b8a797912a00fb8fd81

SHA512
beb65a07b45cf9746d939e19dd2c5ff1e9e1a0707c6741a5776bd86d07db3aa1958a6036129b5bcf9717c361790788099cc25a02b4fefd51233c272c0063a8c6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0d24a86bcaa1eaea8f75a57da97b8cbf

SHA1
6220d514748052cf93cd9865c22cdd54e1d0729e

SHA256
9fe5f1de251e548df4ad5be439b5f4709941eee5e29b1b8a797912a00fb8fd81

SHA512
beb65a07b45cf9746d939e19dd2c5ff1e9e1a0707c6741a5776bd86d07db3aa1958a6036129b5bcf9717c361790788099cc25a02b4fefd51233c272c0063a8c6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2188647766\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2188647766\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2188647766\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
5980d04c7b606ca31602539034adf055

SHA1
c8a7b6e05eeadb3b31052bb82a5d6bd6f89603c7

SHA256
c0072a6d2bd2c6232856fc07f8760814607b328bb5302295cf1dc3320a3e0658

SHA512
f479787d289e604440efcec85a79e848d16449afcbc820f27db1234ef8447cb2f90eb7d8d106c409435d77ba3ef115061082ddd666d45ea9626a090c0b6f38bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
981e8cbbab3ac808294e3cbab66991f2

SHA1
779b2438bb603bb98a6a7d1d90ac9df1a079e22e

SHA256
8b9ed0e9c8a3c20c5f908f589733c86e1feb58a26db70d7edcfb859d5bdef7fb

SHA512
6200b7c326d2ba165bbee51b3400eb7daa68fb5937aa57e94fd9cec18564ab8968bf3afe9dfabfa3d61257fed4f3384b8eb80f555e594cd209a69b1b1ab66944

Download Submit
C:\backup.exe

Filesize
72KB

MD5
981e8cbbab3ac808294e3cbab66991f2

SHA1
779b2438bb603bb98a6a7d1d90ac9df1a079e22e

SHA256
8b9ed0e9c8a3c20c5f908f589733c86e1feb58a26db70d7edcfb859d5bdef7fb

SHA512
6200b7c326d2ba165bbee51b3400eb7daa68fb5937aa57e94fd9cec18564ab8968bf3afe9dfabfa3d61257fed4f3384b8eb80f555e594cd209a69b1b1ab66944

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1195b1a6e0ec5f4a1123332e3c974c44

SHA1
501a60cc4e31f5ba94063a88cebf67b737a41ac4

SHA256
6e57bab1885a91e9ef82792958fcdaac2e664296c47279040edd64a69a2ca637

SHA512
1c6b5a789d921bdaa011c80dd07ff3260894da48f59d65272a3dbcfbc3e4923fd8160e9e957e8e1eebf5a2a765adfd8036926150d45f3ff6149e60c07a26d000

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1195b1a6e0ec5f4a1123332e3c974c44

SHA1
501a60cc4e31f5ba94063a88cebf67b737a41ac4

SHA256
6e57bab1885a91e9ef82792958fcdaac2e664296c47279040edd64a69a2ca637

SHA512
1c6b5a789d921bdaa011c80dd07ff3260894da48f59d65272a3dbcfbc3e4923fd8160e9e957e8e1eebf5a2a765adfd8036926150d45f3ff6149e60c07a26d000

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
79daf457aa32bbd7877598388f162b48

SHA1
649f2863ed4d51b3f04ea6901f9f3b8bd5fc64c4

SHA256
d369d9ecb228c7348251fe43917ada7bfa0c73a898e427a40c12ac19615279a3

SHA512
88c9dfeb15522fd99a201b6226e97e5bf0b6a53da6d66464a9935a0f88f1b0764a85d97cdf65877be231edc1d3802e206b9a370d663eb6dc1de7cb71f8853cf7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
e1b03d5d4ff153588ab2085d407c6cae

SHA1
5a869ad3555422695459418b775f1a5f9895eddf

SHA256
701a0e182c8c88c9e1d3e1dd1fb1ab7afdd0d57ceedbfab9ebf815f2151bacce

SHA512
eeae20eba5958e8649874838022eb551cdd35caf466786e445bbaa17e967c5a9b7d7f69073c7437a5e7c7543f1d60caa36bbfa93edcc4252a5f44e5e3d5f7f55

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
e1b03d5d4ff153588ab2085d407c6cae

SHA1
5a869ad3555422695459418b775f1a5f9895eddf

SHA256
701a0e182c8c88c9e1d3e1dd1fb1ab7afdd0d57ceedbfab9ebf815f2151bacce

SHA512
eeae20eba5958e8649874838022eb551cdd35caf466786e445bbaa17e967c5a9b7d7f69073c7437a5e7c7543f1d60caa36bbfa93edcc4252a5f44e5e3d5f7f55

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0d24a86bcaa1eaea8f75a57da97b8cbf

SHA1
6220d514748052cf93cd9865c22cdd54e1d0729e

SHA256
9fe5f1de251e548df4ad5be439b5f4709941eee5e29b1b8a797912a00fb8fd81

SHA512
beb65a07b45cf9746d939e19dd2c5ff1e9e1a0707c6741a5776bd86d07db3aa1958a6036129b5bcf9717c361790788099cc25a02b4fefd51233c272c0063a8c6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0d24a86bcaa1eaea8f75a57da97b8cbf

SHA1
6220d514748052cf93cd9865c22cdd54e1d0729e

SHA256
9fe5f1de251e548df4ad5be439b5f4709941eee5e29b1b8a797912a00fb8fd81

SHA512
beb65a07b45cf9746d939e19dd2c5ff1e9e1a0707c6741a5776bd86d07db3aa1958a6036129b5bcf9717c361790788099cc25a02b4fefd51233c272c0063a8c6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e1b03d5d4ff153588ab2085d407c6cae

SHA1
5a869ad3555422695459418b775f1a5f9895eddf

SHA256
701a0e182c8c88c9e1d3e1dd1fb1ab7afdd0d57ceedbfab9ebf815f2151bacce

SHA512
eeae20eba5958e8649874838022eb551cdd35caf466786e445bbaa17e967c5a9b7d7f69073c7437a5e7c7543f1d60caa36bbfa93edcc4252a5f44e5e3d5f7f55

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8a83d37c4858afe6c95b24d0c46e931d

SHA1
b5efcafc42c08eb5ddadea066eb68df038280b28

SHA256
b41cf0179bd566f8cb2ba015fc8a23417c8f7bdafcf9b42e602de2685bf0af3f

SHA512
c65ae6ecf50cbe7801fbf961be8e5cc853540cf9fe67ae57daa376a67541a0b319e219a7736748865434f826b536eedef86e185526f48ed2a009b75c44f09c20

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
e2448829e4a25142b5e0ef26ac847ba1

SHA1
2c7cc037302def91aa3aa3be43470e2aab2708f7

SHA256
046799fd74110e137068e5e92e33fc4dd01fb7ea9d989d273b39e646ded501b4

SHA512
b6c5adcd1b367b96064e40140f12c570eb50ee985fe57f8543526910ccc46da110eb801ce0e0db7091d1777ce5c5e8a1fe749978e17bf4a14284fc05cea4cafa

Download Submit
\Users\Admin\AppData\Local\Temp\2188647766\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
\Users\Admin\AppData\Local\Temp\2188647766\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
9a193527bf3b85bee81277b45a46d290

SHA1
5dea131351940eb23eafe5cd1a937d0b23275c92

SHA256
3e72624ef041927569d35310b5d21ca3ecbd3fb572952eee24777a971c7d0b09

SHA512
ac4841e95ff384fbcb2c27f0d6064d0aa3abc6eb89fdb60d2d9f19c5ebf448d6bc3f2540fc2f6253879eee0f38f2246bee42e09d3e7d820adbc4bfc4ce6d80dc

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1166e6dec9d893f42dd0b450f3da5c55

SHA1
fac796a28ba9b4c51cb80bfa15126ed7335f5c48

SHA256
3699aa09715ad706d84199a3ec90e62485ba61cc664347f0aabad7959328db0c

SHA512
bdf39de87c8abafddb3d417737a5bcb571931a435f5b461e7d45400a885c2167bc4e1dd56154f1eb243213acd8b4350bbf4b44258a9dffff2b9c25e1349ef3fb

Download Submit
memory/2440-132-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads