Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/10/2023, 21:27
Behavioral task
behavioral1
Sample
NEAS.9baa4e261aae7758d97afae793925c90.exe
Resource
win7-20231020-en
General
-
Target
NEAS.9baa4e261aae7758d97afae793925c90.exe
-
Size
338KB
-
MD5
9baa4e261aae7758d97afae793925c90
-
SHA1
ec233554ce55d83e6631dc13b50a535debb4a1f1
-
SHA256
d918a05cf4d02e876bfcfec8c9f48963c842dfb4c827b601ec417e02ced034aa
-
SHA512
fd157db638759dfd88a501a23b5c6d42541981b1f01f4753606d0769255a4201d3896098260920c9c773501e6982c86c3060edf6636967531398d120fda7118e
-
SSDEEP
3072:BmVwRKCrIYlW9dLKEl4MC0iFixWS1WC2P9/KvQ:BmVn6O4Ep3s7BZr
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" update.exe -
Executes dropped EXE 64 IoCs
pid Process 2856 System Restore.exe 2784 backup.exe 2676 backup.exe 2776 backup.exe 2740 backup.exe 2564 backup.exe 3068 backup.exe 3024 backup.exe 868 backup.exe 1908 backup.exe 2816 backup.exe 2204 backup.exe 1956 backup.exe 1612 backup.exe 2936 backup.exe 2444 backup.exe 2452 backup.exe 1056 backup.exe 1788 update.exe 1064 backup.exe 1008 backup.exe 1400 backup.exe 2112 backup.exe 2908 backup.exe 2116 backup.exe 2368 backup.exe 1592 backup.exe 3060 backup.exe 1588 backup.exe 2720 backup.exe 2672 backup.exe 2760 backup.exe 2820 backup.exe 2740 backup.exe 2560 update.exe 3004 backup.exe 528 backup.exe 2616 backup.exe 328 backup.exe 2160 backup.exe 1604 backup.exe 2876 backup.exe 1216 backup.exe 2148 backup.exe 1208 backup.exe 1524 backup.exe 1068 backup.exe 1664 backup.exe 608 backup.exe 2928 backup.exe 2940 backup.exe 2444 backup.exe 1020 backup.exe 1916 backup.exe 1752 backup.exe 916 System Restore.exe 1284 backup.exe 952 backup.exe 2020 backup.exe 1008 backup.exe 2292 backup.exe 2112 backup.exe 1968 backup.exe 3032 backup.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 3024 backup.exe 3024 backup.exe 868 backup.exe 868 backup.exe 3024 backup.exe 3024 backup.exe 2816 backup.exe 2816 backup.exe 2204 backup.exe 2204 backup.exe 2816 backup.exe 2816 backup.exe 1612 backup.exe 1612 backup.exe 2936 backup.exe 2936 backup.exe 2936 backup.exe 2936 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 1788 update.exe 1788 update.exe 1788 update.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 2452 backup.exe 1588 backup.exe 1588 backup.exe 1588 backup.exe 1588 backup.exe 1588 backup.exe 1588 backup.exe -
resource yara_rule behavioral1/memory/2056-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x002f00000001228e-5.dat upx behavioral1/files/0x002f00000001228e-9.dat upx behavioral1/files/0x002f00000001228e-7.dat upx behavioral1/files/0x002f00000001228e-11.dat upx behavioral1/memory/2856-15-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0007000000016ae2-18.dat upx behavioral1/files/0x0007000000016ae2-20.dat upx behavioral1/files/0x0007000000016ae2-24.dat upx behavioral1/memory/2784-28-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0007000000016c2a-29.dat upx behavioral1/files/0x0007000000016c2a-35.dat upx behavioral1/files/0x0007000000016c2a-31.dat upx behavioral1/files/0x0031000000015eb0-39.dat upx behavioral1/files/0x0031000000015eb0-45.dat upx behavioral1/files/0x0031000000015eb0-41.dat upx behavioral1/memory/2056-48-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2776-51-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0009000000016c35-52.dat upx behavioral1/files/0x0009000000016c35-58.dat upx behavioral1/memory/2856-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0009000000016c35-54.dat upx behavioral1/memory/2740-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x000a000000016c23-70.dat upx behavioral1/files/0x000a000000016c23-66.dat upx behavioral1/files/0x000a000000016c23-64.dat upx behavioral1/files/0x002f00000001228e-74.dat upx behavioral1/memory/2564-76-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0006000000016d1d-89.dat upx behavioral1/files/0x0006000000016d1d-85.dat upx behavioral1/files/0x0006000000016d01-90.dat upx behavioral1/memory/2676-84-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0006000000016d1d-79.dat upx behavioral1/memory/3068-96-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3068-98-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0006000000016d01-100.dat upx behavioral1/files/0x0006000000016d2e-102.dat upx behavioral1/files/0x0006000000016d2e-108.dat upx behavioral1/files/0x0006000000016d2e-104.dat upx behavioral1/files/0x0006000000016d2e-113.dat upx behavioral1/files/0x0006000000016d63-115.dat upx behavioral1/files/0x0006000000016d63-118.dat upx behavioral1/files/0x0006000000016d63-122.dat upx behavioral1/memory/1908-128-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/868-127-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0006000000016d77-129.dat upx behavioral1/files/0x0006000000016d77-131.dat upx behavioral1/files/0x0006000000016d77-136.dat upx behavioral1/files/0x0006000000016d77-139.dat upx behavioral1/files/0x0007000000016d6c-146.dat upx behavioral1/files/0x0007000000016d6c-150.dat upx behavioral1/memory/2856-145-0x0000000000270000-0x000000000028C000-memory.dmp upx behavioral1/files/0x0007000000016d6c-143.dat upx behavioral1/memory/2204-155-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3024-156-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0007000000016d6c-158.dat upx behavioral1/files/0x0006000000016d82-160.dat upx behavioral1/files/0x0006000000016d82-162.dat upx behavioral1/files/0x0006000000016d82-166.dat upx behavioral1/memory/2204-174-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1956-176-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0007000000016d7d-184.dat upx behavioral1/files/0x0007000000016d7d-190.dat upx behavioral1/files/0x0007000000016d7d-186.dat upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\data.exe data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe backup.exe File opened for modification C:\Program Files\Common Files\System\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe System Restore.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\images\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\System\backup.exe backup.exe File opened for modification C:\Program Files\Google\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe update.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\es-ES\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe backup.exe File opened for modification C:\Program Files (x86)\Internet Explorer\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\de-DE\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\Services\update.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe backup.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe update.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe backup.exe File opened for modification C:\Program Files\MSBuild\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe backup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\backup.exe backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 2856 System Restore.exe 2784 backup.exe 2676 backup.exe 2776 backup.exe 2740 backup.exe 2564 backup.exe 3068 backup.exe 3024 backup.exe 868 backup.exe 1908 backup.exe 2816 backup.exe 2204 backup.exe 1956 backup.exe 1612 backup.exe 2936 backup.exe 2444 backup.exe 2452 backup.exe 1056 backup.exe 1788 update.exe 1064 backup.exe 1008 backup.exe 1400 backup.exe 2112 backup.exe 2908 backup.exe 2116 backup.exe 2368 backup.exe 1592 backup.exe 3060 backup.exe 1588 backup.exe 2720 backup.exe 2672 backup.exe 2760 backup.exe 2820 backup.exe 2740 backup.exe 2560 update.exe 3004 backup.exe 528 backup.exe 2616 backup.exe 328 backup.exe 2160 backup.exe 1604 backup.exe 2876 backup.exe 1216 backup.exe 2148 backup.exe 1208 backup.exe 1524 backup.exe 1068 backup.exe 1664 backup.exe 608 backup.exe 2928 backup.exe 2940 backup.exe 2444 backup.exe 1020 backup.exe 1916 backup.exe 1752 backup.exe 916 System Restore.exe 1284 backup.exe 952 backup.exe 2020 backup.exe 1008 backup.exe 2292 backup.exe 2112 backup.exe 1968 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2856 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 28 PID 2056 wrote to memory of 2856 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 28 PID 2056 wrote to memory of 2856 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 28 PID 2056 wrote to memory of 2856 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 28 PID 2056 wrote to memory of 2784 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 29 PID 2056 wrote to memory of 2784 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 29 PID 2056 wrote to memory of 2784 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 29 PID 2056 wrote to memory of 2784 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 29 PID 2056 wrote to memory of 2676 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 30 PID 2056 wrote to memory of 2676 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 30 PID 2056 wrote to memory of 2676 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 30 PID 2056 wrote to memory of 2676 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 30 PID 2056 wrote to memory of 2776 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 31 PID 2056 wrote to memory of 2776 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 31 PID 2056 wrote to memory of 2776 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 31 PID 2056 wrote to memory of 2776 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 31 PID 2056 wrote to memory of 2740 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 32 PID 2056 wrote to memory of 2740 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 32 PID 2056 wrote to memory of 2740 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 32 PID 2056 wrote to memory of 2740 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 32 PID 2056 wrote to memory of 2564 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 33 PID 2056 wrote to memory of 2564 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 33 PID 2056 wrote to memory of 2564 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 33 PID 2056 wrote to memory of 2564 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 33 PID 2856 wrote to memory of 3024 2856 System Restore.exe 34 PID 2856 wrote to memory of 3024 2856 System Restore.exe 34 PID 2856 wrote to memory of 3024 2856 System Restore.exe 34 PID 2856 wrote to memory of 3024 2856 System Restore.exe 34 PID 2056 wrote to memory of 3068 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 35 PID 2056 wrote to memory of 3068 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 35 PID 2056 wrote to memory of 3068 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 35 PID 2056 wrote to memory of 3068 2056 NEAS.9baa4e261aae7758d97afae793925c90.exe 35 PID 3024 wrote to memory of 868 3024 backup.exe 36 PID 3024 wrote to memory of 868 3024 backup.exe 36 PID 3024 wrote to memory of 868 3024 backup.exe 36 PID 3024 wrote to memory of 868 3024 backup.exe 36 PID 868 wrote to memory of 1908 868 backup.exe 37 PID 868 wrote to memory of 1908 868 backup.exe 37 PID 868 wrote to memory of 1908 868 backup.exe 37 PID 868 wrote to memory of 1908 868 backup.exe 37 PID 3024 wrote to memory of 2816 3024 backup.exe 38 PID 3024 wrote to memory of 2816 3024 backup.exe 38 PID 3024 wrote to memory of 2816 3024 backup.exe 38 PID 3024 wrote to memory of 2816 3024 backup.exe 38 PID 2816 wrote to memory of 2204 2816 backup.exe 39 PID 2816 wrote to memory of 2204 2816 backup.exe 39 PID 2816 wrote to memory of 2204 2816 backup.exe 39 PID 2816 wrote to memory of 2204 2816 backup.exe 39 PID 2204 wrote to memory of 1956 2204 backup.exe 40 PID 2204 wrote to memory of 1956 2204 backup.exe 40 PID 2204 wrote to memory of 1956 2204 backup.exe 40 PID 2204 wrote to memory of 1956 2204 backup.exe 40 PID 2816 wrote to memory of 1612 2816 backup.exe 41 PID 2816 wrote to memory of 1612 2816 backup.exe 41 PID 2816 wrote to memory of 1612 2816 backup.exe 41 PID 2816 wrote to memory of 1612 2816 backup.exe 41 PID 1612 wrote to memory of 2936 1612 backup.exe 42 PID 1612 wrote to memory of 2936 1612 backup.exe 42 PID 1612 wrote to memory of 2936 1612 backup.exe 42 PID 1612 wrote to memory of 2936 1612 backup.exe 42 PID 2936 wrote to memory of 2444 2936 backup.exe 43 PID 2936 wrote to memory of 2444 2936 backup.exe 43 PID 2936 wrote to memory of 2444 2936 backup.exe 43 PID 2936 wrote to memory of 2444 2936 backup.exe 43 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" data.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9baa4e261aae7758d97afae793925c90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9baa4e261aae7758d97afae793925c90.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\1815963383\System Restore.exe"C:\Users\Admin\AppData\Local\Temp\1815963383\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\1815963383\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\backup.exe\backup.exe \3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3024 -
C:\PerfLogs\backup.exeC:\PerfLogs\backup.exe C:\PerfLogs\4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:868 -
C:\PerfLogs\Admin\backup.exeC:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
C:\Program Files\Common Files\backup.exe"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936 -
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2444
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1056
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1788
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1064
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2116
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3060
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1588 -
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2720
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2672
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2760
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2820
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2740
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2560
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:528
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1604
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1208
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1068
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1664
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:608
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1020
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:916
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1284
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2292
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1968
-
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
PID:3032 -
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\8⤵
- System policy modification
PID:1996
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\8⤵PID:1572
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\8⤵PID:2660
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\8⤵PID:2788
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\8⤵PID:2768
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2600
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1640 -
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\8⤵
- Modifies visibility of file extensions in Explorer
PID:2744
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2632
-
-
C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\7⤵PID:2580
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\7⤵
- Drops file in Program Files directory
PID:2300 -
C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\8⤵PID:592
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\data.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\8⤵
- System policy modification
PID:2616
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\8⤵
- System policy modification
PID:1516
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\8⤵
- System policy modification
PID:568
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
PID:2668
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\8⤵
- Modifies visibility of file extensions in Explorer
PID:2516
-
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\7⤵
- Drops file in Program Files directory
PID:1456 -
C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2232
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\8⤵PID:1780
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
PID:2012
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\8⤵PID:1080
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
PID:2240
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\8⤵
- System policy modification
PID:1876
-
-
-
C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\7⤵
- System policy modification
PID:2944
-
-
C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\7⤵
- System policy modification
PID:784
-
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\7⤵
- Modifies visibility of file extensions in Explorer
PID:2136 -
C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\data.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\8⤵PID:2984
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\data.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\9⤵
- System policy modification
PID:3064
-
-
-
-
-
C:\Program Files\Common Files\Services\backup.exe"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2276
-
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\6⤵PID:1008
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\6⤵
- Modifies visibility of file extensions in Explorer
PID:2480 -
C:\Program Files\Common Files\System\ado\backup.exe"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\7⤵
- Drops file in Program Files directory
- System policy modification
PID:2876 -
C:\Program Files\Common Files\System\ado\de-DE\backup.exe"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\8⤵
- System policy modification
PID:2016
-
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\8⤵
- Modifies visibility of file extensions in Explorer
PID:2500
-
-
C:\Program Files\Common Files\System\ado\es-ES\backup.exe"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\8⤵PID:2916
-
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\8⤵PID:2236
-
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\8⤵PID:2568
-
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\7⤵PID:2412
-
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\7⤵PID:2628
-
-
C:\Program Files\Common Files\System\es-ES\backup.exe"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\7⤵PID:2376
-
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\7⤵PID:2784
-
-
C:\Program Files\Common Files\System\it-IT\backup.exe"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\7⤵PID:1956
-
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\7⤵PID:896
-
-
C:\Program Files\Common Files\System\msadc\backup.exe"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\7⤵PID:1464
-
-
C:\Program Files\Common Files\System\Ole DB\backup.exe"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\7⤵PID:1756
-
-
-
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:988 -
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\6⤵PID:1600
-
-
C:\Program Files\DVD Maker\en-US\backup.exe"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\6⤵PID:1616
-
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\6⤵PID:2724
-
-
C:\Program Files\DVD Maker\fr-FR\backup.exe"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\6⤵
- Modifies visibility of file extensions in Explorer
PID:3032
-
-
C:\Program Files\DVD Maker\it-IT\backup.exe"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\6⤵
- System policy modification
PID:2596
-
-
C:\Program Files\DVD Maker\ja-JP\System Restore.exe"C:\Program Files\DVD Maker\ja-JP\System Restore.exe" C:\Program Files\DVD Maker\ja-JP\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1632
-
-
C:\Program Files\DVD Maker\Shared\backup.exe"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\6⤵
- Modifies visibility of file extensions in Explorer
PID:1928
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\5⤵PID:2580
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\5⤵
- Drops file in Program Files directory
PID:1780 -
C:\Program Files\Internet Explorer\de-DE\backup.exe"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\6⤵PID:3008
-
-
C:\Program Files\Internet Explorer\en-US\backup.exe"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\6⤵PID:1504
-
-
C:\Program Files\Internet Explorer\es-ES\backup.exe"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2700
-
-
C:\Program Files\Internet Explorer\fr-FR\backup.exe"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\6⤵PID:784
-
-
C:\Program Files\Internet Explorer\images\backup.exe"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\6⤵PID:1616
-
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\5⤵
- System policy modification
PID:2444 -
C:\Program Files\Java\jdk1.7.0_80\backup.exe"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\6⤵PID:2184
-
-
C:\Program Files\Java\jre7\System Restore.exe"C:\Program Files\Java\jre7\System Restore.exe" C:\Program Files\Java\jre7\6⤵
- Modifies visibility of file extensions in Explorer
PID:2988 -
C:\Program Files\Java\jre7\bin\backup.exe"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\7⤵PID:1608
-
-
C:\Program Files\Java\jre7\lib\backup.exe"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\7⤵PID:2884
-
-
-
-
C:\Program Files\Microsoft Games\backup.exe"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\5⤵PID:2984
-
-
C:\Program Files\Microsoft Office\update.exe"C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\5⤵PID:2068
-
-
C:\Program Files\Mozilla Firefox\backup.exe"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\5⤵PID:2880
-
-
C:\Program Files\MSBuild\backup.exe"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\5⤵PID:1744
-
-
C:\Program Files\Reference Assemblies\backup.exe"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\5⤵PID:2692
-
-
C:\Program Files\VideoLAN\backup.exe"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\5⤵PID:1500
-
-
C:\Program Files\Windows Defender\backup.exe"C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\5⤵PID:2592
-
-
-
C:\Program Files (x86)\backup.exe"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1492 -
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\5⤵
- Modifies visibility of file extensions in Explorer
PID:1532 -
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1620 -
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7⤵
- Modifies visibility of file extensions in Explorer
PID:2096
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\7⤵
- Drops file in Program Files directory
PID:884 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\8⤵
- Modifies visibility of file extensions in Explorer
PID:2904
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\8⤵
- System policy modification
PID:1372
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\8⤵
- Modifies visibility of file extensions in Explorer
PID:2764
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\8⤵
- Drops file in Program Files directory
- System policy modification
PID:2828 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\9⤵PID:2184
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\8⤵PID:1652
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2240 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\9⤵PID:2596
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\8⤵
- System policy modification
PID:1056
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:332 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\9⤵PID:2448
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\9⤵PID:1892
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\9⤵PID:2304
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\9⤵PID:2844
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\8⤵PID:2724
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\9⤵
- System policy modification
PID:2208
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:808
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\8⤵PID:2564
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7⤵
- Drops file in Program Files directory
PID:692 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\8⤵PID:2620
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\8⤵PID:2084
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\8⤵PID:2672
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\8⤵PID:1180
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\8⤵PID:1916
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\7⤵PID:1704
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2632 -
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\6⤵
- Drops file in Program Files directory
PID:1904 -
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\7⤵
- System policy modification
PID:1916
-
-
C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1732 -
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\8⤵PID:328
-
-
-
C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\7⤵PID:2696
-
-
-
C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\6⤵PID:1876
-
-
C:\Program Files (x86)\Common Files\DESIGNER\backup.exe"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\6⤵PID:2648
-
-
C:\Program Files (x86)\Common Files\microsoft shared\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\6⤵PID:876
-
-
C:\Program Files (x86)\Common Files\Services\update.exe"C:\Program Files (x86)\Common Files\Services\update.exe" C:\Program Files (x86)\Common Files\Services\6⤵
- Modifies visibility of file extensions in Explorer
PID:2572
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\6⤵PID:2416
-
-
C:\Program Files (x86)\Common Files\System\backup.exe"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\6⤵PID:2908
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\5⤵
- Modifies visibility of file extensions in Explorer
PID:1208 -
C:\Program Files (x86)\Google\CrashReports\backup.exe"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\6⤵PID:2544
-
-
C:\Program Files (x86)\Google\Temp\backup.exe"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\6⤵PID:1280
-
-
C:\Program Files (x86)\Google\Update\backup.exe"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\6⤵PID:2464
-
-
-
C:\Program Files (x86)\Internet Explorer\backup.exe"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\5⤵PID:444
-
-
C:\Program Files (x86)\Microsoft Analysis Services\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\5⤵
- Drops file in Program Files directory
PID:3064 -
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6⤵PID:2676
-
-
-
C:\Program Files (x86)\Microsoft Office\backup.exe"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\5⤵
- Drops file in Program Files directory
- System policy modification
PID:2708 -
C:\Program Files (x86)\Microsoft Office\CLIPART\data.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\data.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\6⤵
- Drops file in Program Files directory
- System policy modification
PID:1012 -
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\7⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\data.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\data.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\7⤵PID:1144
-
-
-
C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1680 -
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\7⤵PID:2308
-
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\6⤵
- System policy modification
PID:992 -
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\7⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\7⤵PID:2216
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\6⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe"C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\6⤵PID:2624
-
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\5⤵
- Drops file in Program Files directory
PID:2744 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6⤵PID:3060
-
-
-
C:\Program Files (x86)\Microsoft Sync Framework\backup.exe"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\5⤵PID:792
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe"C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\5⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\5⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft.NET\backup.exe"C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\5⤵PID:2836
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\4⤵
- Modifies visibility of file extensions in Explorer
PID:2740 -
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\5⤵
- Modifies visibility of file extensions in Explorer
PID:2552 -
C:\Users\Admin\Contacts\backup.exeC:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\6⤵PID:880
-
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\6⤵PID:2720
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\6⤵PID:2896
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\6⤵PID:2112
-
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\6⤵PID:1728
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\6⤵PID:2820
-
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\5⤵
- Modifies visibility of file extensions in Explorer
PID:2320 -
C:\Users\Public\Documents\backup.exeC:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\6⤵PID:832
-
-
C:\Users\Public\Downloads\backup.exeC:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\6⤵PID:932
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\6⤵PID:2772
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\6⤵PID:1548
-
C:\Users\Public\Pictures\Sample Pictures\backup.exe"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\7⤵PID:1896
-
-
-
C:\Users\Public\Recorded TV\backup.exe"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\6⤵PID:1672
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\4⤵PID:1988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
338KB
MD5562f98f0f0b798ff66a699410f8c7028
SHA13c48465be8c25515da987d17030df9aea088315f
SHA256f50301913f7ac84178f1b08191cf9f4522b7e017ef28bb1708a54b80d826202d
SHA5128aa00af7baf27b234f4843cce05d6f564602fe5208d2d68efa2e3eafd31b03d84ebd63def2b14fd30ac0e7b5820845ec147ac0ecbde4298c2ce4e388d1914b9a
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD5f25330e835ad77736cf81071ee813bb1
SHA1ef1f8cedb18244e1007a3051e3612a5d33e1b8e6
SHA25632955be6a2abbe0cbb519bb7932b2b492b78358a452cdd10d19c80ea829b4e19
SHA5121a905fc80c72b98564e3669a105cfca5189728aaeb9cb583afce482b8f076dcb54f8f8da5fc7384c3937f1835c910d9cd5c1cb49c3b5c6a8b442c4da0339bfeb
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD516183d0cd7ce602ce012beb38b14c212
SHA14a95934e1cdde5426316a3b3955db21c31d137b6
SHA25644bc01e4b05b1a150e0c235a3510884534b897b5bc76b9414e2d75abf8c33ad8
SHA5126296b98fd9fd971a25b8e48bf227b8c6f3ab6f255dd399ff525781bd604d7c8639ed06e997d35680a1f77364287649e99bbd3c5bd320e06a6f8c0cb675076949
-
Filesize
338KB
MD516183d0cd7ce602ce012beb38b14c212
SHA14a95934e1cdde5426316a3b3955db21c31d137b6
SHA25644bc01e4b05b1a150e0c235a3510884534b897b5bc76b9414e2d75abf8c33ad8
SHA5126296b98fd9fd971a25b8e48bf227b8c6f3ab6f255dd399ff525781bd604d7c8639ed06e997d35680a1f77364287649e99bbd3c5bd320e06a6f8c0cb675076949
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD51199ebb212e626d99d28b682dcb8542d
SHA18799b4134858de3dfba63cf28e3f3aff9a461832
SHA25673972b9105550fd4cf498c36fb2ce46aa4df1dee57e8d5a66797a2f5f75adf1e
SHA512e9e146fd7f30a9dd49c4fdb84ac2d725b9addcdd250f6ce3549305566a22698deaa5c19514238ff044282883abced85cf6c3083496f65d948754298aecf863bf
-
Filesize
338KB
MD51199ebb212e626d99d28b682dcb8542d
SHA18799b4134858de3dfba63cf28e3f3aff9a461832
SHA25673972b9105550fd4cf498c36fb2ce46aa4df1dee57e8d5a66797a2f5f75adf1e
SHA512e9e146fd7f30a9dd49c4fdb84ac2d725b9addcdd250f6ce3549305566a22698deaa5c19514238ff044282883abced85cf6c3083496f65d948754298aecf863bf
-
Filesize
338KB
MD51199ebb212e626d99d28b682dcb8542d
SHA18799b4134858de3dfba63cf28e3f3aff9a461832
SHA25673972b9105550fd4cf498c36fb2ce46aa4df1dee57e8d5a66797a2f5f75adf1e
SHA512e9e146fd7f30a9dd49c4fdb84ac2d725b9addcdd250f6ce3549305566a22698deaa5c19514238ff044282883abced85cf6c3083496f65d948754298aecf863bf
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
105KB
MD5f254dda758ec84de3509524774547e6d
SHA1c0184164814d05c9d832722a88a418e57d116972
SHA256394d17ee4d174f09a31a4c41581652aa6ae87281e144836dd2c19936d81f6e70
SHA512876cdbce64ab9bb290ccbac22729eb975012eaf7f23288f2e9d60e6bb7b9cf80669440a0386e4b101fe11cf89e0df7f7d9e9e1db76677a78e3c838a6312bea26
-
Filesize
338KB
MD58a9becfbf7443a3122c4ecf4a4f0a93f
SHA1e3453522a66fb1591e828ad19827a0dde1d90b36
SHA256bdb134bed12ad8eb1aadc04b9f6ba244875354c5951237eafd4687dd92f50a93
SHA512b389b946f672fe5d58006b685d64f4119d01692adfa899d16e875c88648f9c2ce7a4543dc9ce55a21a2885fde2d4b7c692893b2cbfe9f48b0b916a642ded67b1
-
Filesize
338KB
MD58a9becfbf7443a3122c4ecf4a4f0a93f
SHA1e3453522a66fb1591e828ad19827a0dde1d90b36
SHA256bdb134bed12ad8eb1aadc04b9f6ba244875354c5951237eafd4687dd92f50a93
SHA512b389b946f672fe5d58006b685d64f4119d01692adfa899d16e875c88648f9c2ce7a4543dc9ce55a21a2885fde2d4b7c692893b2cbfe9f48b0b916a642ded67b1
-
Filesize
338KB
MD5562f98f0f0b798ff66a699410f8c7028
SHA13c48465be8c25515da987d17030df9aea088315f
SHA256f50301913f7ac84178f1b08191cf9f4522b7e017ef28bb1708a54b80d826202d
SHA5128aa00af7baf27b234f4843cce05d6f564602fe5208d2d68efa2e3eafd31b03d84ebd63def2b14fd30ac0e7b5820845ec147ac0ecbde4298c2ce4e388d1914b9a
-
Filesize
338KB
MD5562f98f0f0b798ff66a699410f8c7028
SHA13c48465be8c25515da987d17030df9aea088315f
SHA256f50301913f7ac84178f1b08191cf9f4522b7e017ef28bb1708a54b80d826202d
SHA5128aa00af7baf27b234f4843cce05d6f564602fe5208d2d68efa2e3eafd31b03d84ebd63def2b14fd30ac0e7b5820845ec147ac0ecbde4298c2ce4e388d1914b9a
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD5b6f78a6431321bc879a56d28a88afbcf
SHA115c95079a595c7bd1b1e113841c44b7a04b81f31
SHA256d0c6fefe3890b570e92ccff570fdd25ab3d05f497c96169a3a989cb6ef13ce1d
SHA512acc4de1411161e31fc43af74c4ec5127951b8a0f96f759017e37bcccf42899d955e0397e4a1626904c59abe79c715a020a8050a93df1c60e1721845992b8e0ff
-
Filesize
338KB
MD5f25330e835ad77736cf81071ee813bb1
SHA1ef1f8cedb18244e1007a3051e3612a5d33e1b8e6
SHA25632955be6a2abbe0cbb519bb7932b2b492b78358a452cdd10d19c80ea829b4e19
SHA5121a905fc80c72b98564e3669a105cfca5189728aaeb9cb583afce482b8f076dcb54f8f8da5fc7384c3937f1835c910d9cd5c1cb49c3b5c6a8b442c4da0339bfeb
-
Filesize
338KB
MD5f25330e835ad77736cf81071ee813bb1
SHA1ef1f8cedb18244e1007a3051e3612a5d33e1b8e6
SHA25632955be6a2abbe0cbb519bb7932b2b492b78358a452cdd10d19c80ea829b4e19
SHA5121a905fc80c72b98564e3669a105cfca5189728aaeb9cb583afce482b8f076dcb54f8f8da5fc7384c3937f1835c910d9cd5c1cb49c3b5c6a8b442c4da0339bfeb
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD52f44a6f919eb1bd14a956bb3ebb7004f
SHA1ca6eab2192447075e4926ee6a0aa18ddda25039e
SHA2565a32b5a48c718739706778c45ca6dc7483946c51eaf35c8420b678bc066dbc18
SHA512e7023e641b8b4946d21f086bc3e5d4e55dc2f904b0cc8c24db612315e00042a150ed9bc3d55bd4aa074f7edfd14e6d610ce609c59e303c7f7eb78d1f4fed3b27
-
Filesize
338KB
MD516183d0cd7ce602ce012beb38b14c212
SHA14a95934e1cdde5426316a3b3955db21c31d137b6
SHA25644bc01e4b05b1a150e0c235a3510884534b897b5bc76b9414e2d75abf8c33ad8
SHA5126296b98fd9fd971a25b8e48bf227b8c6f3ab6f255dd399ff525781bd604d7c8639ed06e997d35680a1f77364287649e99bbd3c5bd320e06a6f8c0cb675076949
-
Filesize
338KB
MD516183d0cd7ce602ce012beb38b14c212
SHA14a95934e1cdde5426316a3b3955db21c31d137b6
SHA25644bc01e4b05b1a150e0c235a3510884534b897b5bc76b9414e2d75abf8c33ad8
SHA5126296b98fd9fd971a25b8e48bf227b8c6f3ab6f255dd399ff525781bd604d7c8639ed06e997d35680a1f77364287649e99bbd3c5bd320e06a6f8c0cb675076949
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD59c0050a7e2896ceada512457032eb996
SHA1646186b641bf75806a406811e36e9ef4ebb37c57
SHA2567cf19179391fa3007a4ac5c39056dd629e0b9d712658fb6379fe086347fbf8ca
SHA5124fc139ee0f25dac39972de46fe0530cdec52e310c5b7a7edbd0e9cffb064f9979b41c79eb8503a28d680aab4235869b23d0074723454afa7d6e113b156d31307
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD5b816548a580a3389f7d3bef903553655
SHA1132aada965b354e8972c44e1c38d06a1dd1e8cb9
SHA2565748655dd62b10c7dd444aa6f6190de91bcdfbb2be717c357a0e9098fd91f94f
SHA5129c27b06b246e1311e40280acddd77e2bbad34a6df82a1bd9fa1e627aaaf2efdc6a6d96e55a33a2671a42d5efdc55ce2b7071d27f8073b93111ec9f25a31f028f
-
Filesize
338KB
MD51199ebb212e626d99d28b682dcb8542d
SHA18799b4134858de3dfba63cf28e3f3aff9a461832
SHA25673972b9105550fd4cf498c36fb2ce46aa4df1dee57e8d5a66797a2f5f75adf1e
SHA512e9e146fd7f30a9dd49c4fdb84ac2d725b9addcdd250f6ce3549305566a22698deaa5c19514238ff044282883abced85cf6c3083496f65d948754298aecf863bf
-
Filesize
338KB
MD51199ebb212e626d99d28b682dcb8542d
SHA18799b4134858de3dfba63cf28e3f3aff9a461832
SHA25673972b9105550fd4cf498c36fb2ce46aa4df1dee57e8d5a66797a2f5f75adf1e
SHA512e9e146fd7f30a9dd49c4fdb84ac2d725b9addcdd250f6ce3549305566a22698deaa5c19514238ff044282883abced85cf6c3083496f65d948754298aecf863bf
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD51d379f8c463c53f32d9a66d8c30ffcf8
SHA1230f1acd3c44dacb44155afd2881a41e25b6d79a
SHA256d1048a25af1954b97e6b2097521c43b2771666b962814f4454045efb3e622d30
SHA51268b7d749233fde41d9272651288977d133fbaa1857d2087b88453a83df57bc3a8b51072e6ad2ad3bf07d9bf761b494decef7882ce8a6192c7ab88bbfd0695339
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287
-
Filesize
338KB
MD5c03ab6bb0e050ecf60934c6e14a7867c
SHA1db37431f937d8dab199a808396cb8ea915b6611f
SHA2560205f201420743073b393a53310ba5ecdfda57739bfce53afd5c61226f2b7713
SHA512a6885b9ff9195f06ca2e58adbcab94076d8a58e852f57fa7c54924313f54c04e3f28c752f12129f86bba049c2b3918f13d7982ce860dc59ebe78b6aa504d4287