29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820

Analysis

max time kernel
155s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
Size

72KB
MD5

0745c98dc41c02be3f9775605785b486
SHA1

a21711a8ffe6a7cb6aff60e438943c8cd119ebad
SHA256

29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820
SHA512

ad447515de8bb333dd8ebce4ae8532cfb45121a5652440fc93331b63b30f9a62147de43687f07670c12f96c36eadffe63dbfc227d5e42a0bd705d82a8e58f708
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2X:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPD

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1952	backup.exe
1940	backup.exe
1148	backup.exe
604	backup.exe
1288	backup.exe
1764	backup.exe
1804	backup.exe
616	backup.exe
836	backup.exe
848	data.exe
2040	System Restore.exe
2008	backup.exe
268	backup.exe
1356	backup.exe
1996	data.exe
1480	backup.exe
1680	backup.exe
1376	backup.exe
1604	backup.exe
1984	backup.exe
1516	update.exe
844	backup.exe
1500	backup.exe
1340	backup.exe
1304	backup.exe
1776	backup.exe
1760	backup.exe
1360	backup.exe
1568	data.exe
1768	System Restore.exe
812	backup.exe
1080	backup.exe
1744	System Restore.exe
1292	backup.exe
1468	update.exe
1588	data.exe
1556	backup.exe
584	backup.exe
1772	backup.exe
1544	backup.exe
788	backup.exe
784	backup.exe
728	backup.exe
1380	backup.exe
612	data.exe
1612	backup.exe
2000	backup.exe
2024	backup.exe
1524	backup.exe
1532	backup.exe
1688	backup.exe
1528	backup.exe
1336	backup.exe
1240	backup.exe
1780	backup.exe
1792	backup.exe
1776	backup.exe
1300	backup.exe
1132	backup.exe
812	backup.exe
1364	backup.exe
1540	backup.exe
756	backup.exe
468	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1764	backup.exe
1764	backup.exe
616	backup.exe
616	backup.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1764	backup.exe
1764	backup.exe
2040	System Restore.exe
2040	System Restore.exe
2008	backup.exe
2008	backup.exe
2040	System Restore.exe
2040	System Restore.exe
1356	backup.exe
1356	backup.exe
1996	data.exe
1996	data.exe
1996	data.exe
1996	data.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1516	update.exe
1516	update.exe
1516	update.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1764	backup.exe
1764	backup.exe
1680	backup.exe
1680	backup.exe
1304	backup.exe
1304	backup.exe
1680	backup.exe
1680	backup.exe
1760	backup.exe
1760	backup.exe
1568	data.exe
1568	data.exe
1680	backup.exe
1680	backup.exe
1568	data.exe
1568	data.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
1952	backup.exe
1940	backup.exe
1148	backup.exe
604	backup.exe
1288	backup.exe
1764	backup.exe
1804	backup.exe
616	backup.exe
836	backup.exe
848	data.exe
2040	System Restore.exe
2008	backup.exe
268	backup.exe
1356	backup.exe
1996	data.exe
1480	backup.exe
1680	backup.exe
1376	backup.exe
1604	backup.exe
1984	backup.exe
1516	update.exe
844	backup.exe
1500	backup.exe
1340	backup.exe
1304	backup.exe
1776	backup.exe
1760	backup.exe
1360	backup.exe
1568	data.exe
1768	System Restore.exe
812	backup.exe
1080	backup.exe
1744	System Restore.exe
1292	backup.exe
1468	update.exe
1588	data.exe
1556	backup.exe
584	backup.exe
1772	backup.exe
1544	backup.exe
788	backup.exe
784	backup.exe
728	backup.exe
1380	backup.exe
612	data.exe
1612	backup.exe
2000	backup.exe
2024	backup.exe
1524	backup.exe
1688	backup.exe
1532	backup.exe
1528	backup.exe
1336	backup.exe
1240	backup.exe
1780	backup.exe
1792	backup.exe
1132	backup.exe
1776	backup.exe
1300	backup.exe
1364	backup.exe
812	backup.exe
1540	backup.exe
756	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1952	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	26
PID 1988 wrote to memory of 1952	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	26
PID 1988 wrote to memory of 1952	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	26
PID 1988 wrote to memory of 1952	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	26
PID 1988 wrote to memory of 1940	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	27
PID 1988 wrote to memory of 1940	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	27
PID 1988 wrote to memory of 1940	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	27
PID 1988 wrote to memory of 1940	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	27
PID 1988 wrote to memory of 1148	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	28
PID 1988 wrote to memory of 1148	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	28
PID 1988 wrote to memory of 1148	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	28
PID 1988 wrote to memory of 1148	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	28
PID 1988 wrote to memory of 604	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	29
PID 1988 wrote to memory of 604	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	29
PID 1988 wrote to memory of 604	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	29
PID 1988 wrote to memory of 604	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	29
PID 1988 wrote to memory of 1288	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	30
PID 1988 wrote to memory of 1288	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	30
PID 1988 wrote to memory of 1288	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	30
PID 1988 wrote to memory of 1288	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	30
PID 1952 wrote to memory of 1764	1952	backup.exe	31
PID 1952 wrote to memory of 1764	1952	backup.exe	31
PID 1952 wrote to memory of 1764	1952	backup.exe	31
PID 1952 wrote to memory of 1764	1952	backup.exe	31
PID 1988 wrote to memory of 1804	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	32
PID 1988 wrote to memory of 1804	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	32
PID 1988 wrote to memory of 1804	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	32
PID 1988 wrote to memory of 1804	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	32
PID 1764 wrote to memory of 616	1764	backup.exe	33
PID 1764 wrote to memory of 616	1764	backup.exe	33
PID 1764 wrote to memory of 616	1764	backup.exe	33
PID 1764 wrote to memory of 616	1764	backup.exe	33
PID 616 wrote to memory of 836	616	backup.exe	34
PID 616 wrote to memory of 836	616	backup.exe	34
PID 616 wrote to memory of 836	616	backup.exe	34
PID 616 wrote to memory of 836	616	backup.exe	34
PID 1988 wrote to memory of 848	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	35
PID 1988 wrote to memory of 848	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	35
PID 1988 wrote to memory of 848	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	35
PID 1988 wrote to memory of 848	1988	29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe	35
PID 1764 wrote to memory of 2040	1764	backup.exe	36
PID 1764 wrote to memory of 2040	1764	backup.exe	36
PID 1764 wrote to memory of 2040	1764	backup.exe	36
PID 1764 wrote to memory of 2040	1764	backup.exe	36
PID 2040 wrote to memory of 2008	2040	System Restore.exe	37
PID 2040 wrote to memory of 2008	2040	System Restore.exe	37
PID 2040 wrote to memory of 2008	2040	System Restore.exe	37
PID 2040 wrote to memory of 2008	2040	System Restore.exe	37
PID 2008 wrote to memory of 268	2008	backup.exe	38
PID 2008 wrote to memory of 268	2008	backup.exe	38
PID 2008 wrote to memory of 268	2008	backup.exe	38
PID 2008 wrote to memory of 268	2008	backup.exe	38
PID 2040 wrote to memory of 1356	2040	System Restore.exe	39
PID 2040 wrote to memory of 1356	2040	System Restore.exe	39
PID 2040 wrote to memory of 1356	2040	System Restore.exe	39
PID 2040 wrote to memory of 1356	2040	System Restore.exe	39
PID 1356 wrote to memory of 1996	1356	backup.exe	40
PID 1356 wrote to memory of 1996	1356	backup.exe	40
PID 1356 wrote to memory of 1996	1356	backup.exe	40
PID 1356 wrote to memory of 1996	1356	backup.exe	40
PID 1996 wrote to memory of 1480	1996	data.exe	41
PID 1996 wrote to memory of 1480	1996	data.exe	41
PID 1996 wrote to memory of 1480	1996	data.exe	41
PID 1996 wrote to memory of 1480	1996	data.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe
"C:\Users\Admin\AppData\Local\Temp\29f3f17e1d79888482921ba62c03d63302e595f777fe5a1c95ae44abe7e2b820.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\658846665\backup.exe
  C:\Users\Admin\AppData\Local\Temp\658846665\backup.exe C:\Users\Admin\AppData\Local\Temp\658846665\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1764
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:616
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2040
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2008
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1356
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1372
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:468
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1828
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1612
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1500
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2044
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1212
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1088
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1548
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2028
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1748
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\Ole DB\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\data.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1692
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1336
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1132
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2008
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:852
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:1752
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1768
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1096
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:788
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2024
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:308
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:832
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2084
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2168
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1752
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:268
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:556
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1564
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1972
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1568
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1780
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2120
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1304
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
      - C:\Program Files (x86)\Adobe\Reader 9.0\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1756
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1772
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:1940
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1016
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1284
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:612
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2036
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1984
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1288
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1500
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1188
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:676
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:960
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:972
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2108
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2152
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:1580
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1316
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1692
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1688
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1468
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1664
      - C:\Users\Admin\Favorites\System Restore.exe
        
        "C:\Users\Admin\Favorites\System Restore.exe" C:\Users\Admin\Favorites\
        6⤵
        
        PID:1324
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1028
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1792
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1580
      - C:\Users\Admin\Saved Games\data.exe
        
        "C:\Users\Admin\Saved Games\data.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2072
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2160
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1476
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1552
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:604
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3cdcdaa8499b00f2ec137f8331aac3c2

SHA1
fd13a5b45827c3f3dd794e094ea2feea9aee032b

SHA256
72e133882b58d04d0116857f7a01c6a52f52727a4df4f04bf71ba51e07718c1b

SHA512
e731614eef8df6e6d7313fbde0123cd661c8218df06866d1eb858884c10e69cf01123320c8d00ed11bd0a820963eaea669878ead1342647c5bbc6074d9b5d516

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fb4039acb887dcd5d9478dd0e4bee3ad

SHA1
d38a60f6e6ed30e9fbbaf189c362e662382af103

SHA256
3e086ee0bdf6af2e0e799ab951cc947673ae0a32dae97d2e2f83fb6c1f07fcbc

SHA512
26cd7baee6c3cc7e015d2e5407c29b85acba3f96111e2b899e180692df49f281c32bf47a330ca5aed35bbc59e9fc152cba45499787ecf2d89aa23094bfd5439f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f8c26a0dc7c57956a05236289e8eb932

SHA1
70621c38db0a14b1486e24ebe31724078e7a9871

SHA256
2838055f8cb90f01bb2a6c180693a4b56dd5e036eb98a2880dbe299111d6e01d

SHA512
dd40ec2a45a3e6ac2eb4bbe66c43d5d8cb7be0de69b5e8cd6a61237332e1332f5e161e56b9e2cf73f45edab619c1fec7648c220c3620328f6fa7b37c52258de9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f8c26a0dc7c57956a05236289e8eb932

SHA1
70621c38db0a14b1486e24ebe31724078e7a9871

SHA256
2838055f8cb90f01bb2a6c180693a4b56dd5e036eb98a2880dbe299111d6e01d

SHA512
dd40ec2a45a3e6ac2eb4bbe66c43d5d8cb7be0de69b5e8cd6a61237332e1332f5e161e56b9e2cf73f45edab619c1fec7648c220c3620328f6fa7b37c52258de9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
ba56de05cba515f09ca82a0de4455bb3

SHA1
260bd9a6ab1810ee5a25a549a57a8616fcb9ebfc

SHA256
056cf2d87d630b612be7b3f4b6605429664e477e915e046c0380f0de847f6e97

SHA512
0f2e226c8e36e875e7c31a9f47490774bffa3b4c00d4fcef8accab3fff8517f5910a3e3abdbf02d75f7ebbca331457c7ccc968ce0316ca9ccda124cec4064b49

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
ba56de05cba515f09ca82a0de4455bb3

SHA1
260bd9a6ab1810ee5a25a549a57a8616fcb9ebfc

SHA256
056cf2d87d630b612be7b3f4b6605429664e477e915e046c0380f0de847f6e97

SHA512
0f2e226c8e36e875e7c31a9f47490774bffa3b4c00d4fcef8accab3fff8517f5910a3e3abdbf02d75f7ebbca331457c7ccc968ce0316ca9ccda124cec4064b49

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c0cdd997365fe3597b05d3921c598dc6

SHA1
7fce9f72b5c4a1f2c51a96b4e74d4be0cdf2a384

SHA256
091d5d6950347de08416ccd92afd36ff95dc0ed715597e142fdd457b4d646b42

SHA512
fd1293ca1fbeaab0284865a76434f037af50e6ba7ab70a2b8c49d2fdac2e7bd7272df474d3b41ea6e1e7f37d72316811f989ba1d167faa9f91432e7ef4d0af9f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0f97468a1f6b1b9c255c6baeeedf42d6

SHA1
cbed1ce7ccf90127faf6191d5fd3a91290dee744

SHA256
198907d714ef1560908e62affbc5fb3f9f9d8387b6bfd8d0cc55e5a4ce764105

SHA512
f103cbf1cd33faeb4a7520f56827b61988269465e6e6784ef5990c5b2177bbc9a48f2ef0ab35476a0e342eecd4c95f6a74c76feb50539b4447b122d393cd4686

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
63e3a42cdca7bc239e5613c526e5b6fd

SHA1
18626f9b14559dce0b2fcac0c2cdcbfe9b7dadae

SHA256
e4f71200df5423f371f9ddd32eb99cbaf2cebe5be180a06a409dc5e43f3ef9f8

SHA512
d9141a47a58a84a22e78a91c3eaa4cc6e39cafc6b28d48d034c6f7ae4ce550540dd3a5c924465991a2a3003dab8a2187b985c6d44b1fca4bdddcb04120e1cdd8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
63e3a42cdca7bc239e5613c526e5b6fd

SHA1
18626f9b14559dce0b2fcac0c2cdcbfe9b7dadae

SHA256
e4f71200df5423f371f9ddd32eb99cbaf2cebe5be180a06a409dc5e43f3ef9f8

SHA512
d9141a47a58a84a22e78a91c3eaa4cc6e39cafc6b28d48d034c6f7ae4ce550540dd3a5c924465991a2a3003dab8a2187b985c6d44b1fca4bdddcb04120e1cdd8

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
C:\Users\Admin\AppData\Local\Temp\658846665\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\658846665\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
01a93a20dc523e17efa0f848e627169a

SHA1
0ffb2a1c0af5ad0149931a27aa1ec79215846b73

SHA256
36b83703c31bd486ee747e19940bc69e46a8b5b6c17d0c4ad07f63c21d0d5d6d

SHA512
a34289efbbd5ddbf6faeaa18782c35b37c328d6c8a298e7c7739826942f73edbabdb589724ffbea4a96725f8d0fc524d4c6707a1d7621a5bd90f3def106919ac

Download Submit
C:\backup.exe

Filesize
72KB

MD5
01a93a20dc523e17efa0f848e627169a

SHA1
0ffb2a1c0af5ad0149931a27aa1ec79215846b73

SHA256
36b83703c31bd486ee747e19940bc69e46a8b5b6c17d0c4ad07f63c21d0d5d6d

SHA512
a34289efbbd5ddbf6faeaa18782c35b37c328d6c8a298e7c7739826942f73edbabdb589724ffbea4a96725f8d0fc524d4c6707a1d7621a5bd90f3def106919ac

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3cdcdaa8499b00f2ec137f8331aac3c2

SHA1
fd13a5b45827c3f3dd794e094ea2feea9aee032b

SHA256
72e133882b58d04d0116857f7a01c6a52f52727a4df4f04bf71ba51e07718c1b

SHA512
e731614eef8df6e6d7313fbde0123cd661c8218df06866d1eb858884c10e69cf01123320c8d00ed11bd0a820963eaea669878ead1342647c5bbc6074d9b5d516

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3cdcdaa8499b00f2ec137f8331aac3c2

SHA1
fd13a5b45827c3f3dd794e094ea2feea9aee032b

SHA256
72e133882b58d04d0116857f7a01c6a52f52727a4df4f04bf71ba51e07718c1b

SHA512
e731614eef8df6e6d7313fbde0123cd661c8218df06866d1eb858884c10e69cf01123320c8d00ed11bd0a820963eaea669878ead1342647c5bbc6074d9b5d516

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fb4039acb887dcd5d9478dd0e4bee3ad

SHA1
d38a60f6e6ed30e9fbbaf189c362e662382af103

SHA256
3e086ee0bdf6af2e0e799ab951cc947673ae0a32dae97d2e2f83fb6c1f07fcbc

SHA512
26cd7baee6c3cc7e015d2e5407c29b85acba3f96111e2b899e180692df49f281c32bf47a330ca5aed35bbc59e9fc152cba45499787ecf2d89aa23094bfd5439f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fb4039acb887dcd5d9478dd0e4bee3ad

SHA1
d38a60f6e6ed30e9fbbaf189c362e662382af103

SHA256
3e086ee0bdf6af2e0e799ab951cc947673ae0a32dae97d2e2f83fb6c1f07fcbc

SHA512
26cd7baee6c3cc7e015d2e5407c29b85acba3f96111e2b899e180692df49f281c32bf47a330ca5aed35bbc59e9fc152cba45499787ecf2d89aa23094bfd5439f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f8c26a0dc7c57956a05236289e8eb932

SHA1
70621c38db0a14b1486e24ebe31724078e7a9871

SHA256
2838055f8cb90f01bb2a6c180693a4b56dd5e036eb98a2880dbe299111d6e01d

SHA512
dd40ec2a45a3e6ac2eb4bbe66c43d5d8cb7be0de69b5e8cd6a61237332e1332f5e161e56b9e2cf73f45edab619c1fec7648c220c3620328f6fa7b37c52258de9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f8c26a0dc7c57956a05236289e8eb932

SHA1
70621c38db0a14b1486e24ebe31724078e7a9871

SHA256
2838055f8cb90f01bb2a6c180693a4b56dd5e036eb98a2880dbe299111d6e01d

SHA512
dd40ec2a45a3e6ac2eb4bbe66c43d5d8cb7be0de69b5e8cd6a61237332e1332f5e161e56b9e2cf73f45edab619c1fec7648c220c3620328f6fa7b37c52258de9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
ba56de05cba515f09ca82a0de4455bb3

SHA1
260bd9a6ab1810ee5a25a549a57a8616fcb9ebfc

SHA256
056cf2d87d630b612be7b3f4b6605429664e477e915e046c0380f0de847f6e97

SHA512
0f2e226c8e36e875e7c31a9f47490774bffa3b4c00d4fcef8accab3fff8517f5910a3e3abdbf02d75f7ebbca331457c7ccc968ce0316ca9ccda124cec4064b49

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
ba56de05cba515f09ca82a0de4455bb3

SHA1
260bd9a6ab1810ee5a25a549a57a8616fcb9ebfc

SHA256
056cf2d87d630b612be7b3f4b6605429664e477e915e046c0380f0de847f6e97

SHA512
0f2e226c8e36e875e7c31a9f47490774bffa3b4c00d4fcef8accab3fff8517f5910a3e3abdbf02d75f7ebbca331457c7ccc968ce0316ca9ccda124cec4064b49

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c0cdd997365fe3597b05d3921c598dc6

SHA1
7fce9f72b5c4a1f2c51a96b4e74d4be0cdf2a384

SHA256
091d5d6950347de08416ccd92afd36ff95dc0ed715597e142fdd457b4d646b42

SHA512
fd1293ca1fbeaab0284865a76434f037af50e6ba7ab70a2b8c49d2fdac2e7bd7272df474d3b41ea6e1e7f37d72316811f989ba1d167faa9f91432e7ef4d0af9f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c0cdd997365fe3597b05d3921c598dc6

SHA1
7fce9f72b5c4a1f2c51a96b4e74d4be0cdf2a384

SHA256
091d5d6950347de08416ccd92afd36ff95dc0ed715597e142fdd457b4d646b42

SHA512
fd1293ca1fbeaab0284865a76434f037af50e6ba7ab70a2b8c49d2fdac2e7bd7272df474d3b41ea6e1e7f37d72316811f989ba1d167faa9f91432e7ef4d0af9f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aedd8b9fe867232913db8d8b45bbd41f

SHA1
222f3678b0356196913c0a8e9b7a64c18354c537

SHA256
d1d635e53b75777950aebc04814005a6608d29632bb5c861383e74110633cad7

SHA512
5b6c5b52a491effb27eb6d1df68694c84bbd1319dc573d567fa6ab7c210a3d4cd0dc30e137e038987902b7c902f3284080f857ff378be06c985ca84b043fc8ce

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0f97468a1f6b1b9c255c6baeeedf42d6

SHA1
cbed1ce7ccf90127faf6191d5fd3a91290dee744

SHA256
198907d714ef1560908e62affbc5fb3f9f9d8387b6bfd8d0cc55e5a4ce764105

SHA512
f103cbf1cd33faeb4a7520f56827b61988269465e6e6784ef5990c5b2177bbc9a48f2ef0ab35476a0e342eecd4c95f6a74c76feb50539b4447b122d393cd4686

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0f97468a1f6b1b9c255c6baeeedf42d6

SHA1
cbed1ce7ccf90127faf6191d5fd3a91290dee744

SHA256
198907d714ef1560908e62affbc5fb3f9f9d8387b6bfd8d0cc55e5a4ce764105

SHA512
f103cbf1cd33faeb4a7520f56827b61988269465e6e6784ef5990c5b2177bbc9a48f2ef0ab35476a0e342eecd4c95f6a74c76feb50539b4447b122d393cd4686

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
0f97468a1f6b1b9c255c6baeeedf42d6

SHA1
cbed1ce7ccf90127faf6191d5fd3a91290dee744

SHA256
198907d714ef1560908e62affbc5fb3f9f9d8387b6bfd8d0cc55e5a4ce764105

SHA512
f103cbf1cd33faeb4a7520f56827b61988269465e6e6784ef5990c5b2177bbc9a48f2ef0ab35476a0e342eecd4c95f6a74c76feb50539b4447b122d393cd4686

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
63e3a42cdca7bc239e5613c526e5b6fd

SHA1
18626f9b14559dce0b2fcac0c2cdcbfe9b7dadae

SHA256
e4f71200df5423f371f9ddd32eb99cbaf2cebe5be180a06a409dc5e43f3ef9f8

SHA512
d9141a47a58a84a22e78a91c3eaa4cc6e39cafc6b28d48d034c6f7ae4ce550540dd3a5c924465991a2a3003dab8a2187b985c6d44b1fca4bdddcb04120e1cdd8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
63e3a42cdca7bc239e5613c526e5b6fd

SHA1
18626f9b14559dce0b2fcac0c2cdcbfe9b7dadae

SHA256
e4f71200df5423f371f9ddd32eb99cbaf2cebe5be180a06a409dc5e43f3ef9f8

SHA512
d9141a47a58a84a22e78a91c3eaa4cc6e39cafc6b28d48d034c6f7ae4ce550540dd3a5c924465991a2a3003dab8a2187b985c6d44b1fca4bdddcb04120e1cdd8

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
360f63adcc231e093461856a0b9d2ed2

SHA1
dd64442c9c29c95d56f85b4bb3de28a19736b135

SHA256
b51656b2dcae4fdf9e6decb0d4018742dc0abf5fd6c2fdd9b8d474c7a9ad4a47

SHA512
2429b96ce6a00289522a0d78e021bc677969ca094baf553a3797a5a0074b1a617b8c8b02603bbe61ab9441af6be431eb2a5aee6ded5fdc74de1c690f8d491071

Download Submit
\Users\Admin\AppData\Local\Temp\658846665\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
\Users\Admin\AppData\Local\Temp\658846665\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
09eafee79771e8d6cb6d5a10463b021b

SHA1
a5acac7349879d634ab980a835d47d65869e2cd4

SHA256
7fa35c72ab2d79dd0f185ed45c4ecfac368a48d2ea06cbdd2fd3647a3fc3b68d

SHA512
ab297f9286569cf97e89fee832581fb700555c2ffc99e094772051a4bdd9635c41df2ad0f06771f5214bdad6bd4dcfac573c026ec944391dae312d738c521067

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
57db3033299c6073093707df4415f5f2

SHA1
e141597d1955feae9297103d7d4c6d14e957c66f

SHA256
ad600d40cb76705e2622d83174170637d6db3ce9779108a01536781304830457

SHA512
1b626eb73f4a5e80a30fa50aa7fcfa803fdcd3314148eb9593d572119da743ae6273058f5af22aaa3882317d5dabc5d22062f7d42e6637b7694273e21245cfeb

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c607107396e980a09a3580f3be995469

SHA1
450a282a174c51d1daea3c000ee02ab4c6dbf733

SHA256
fe7dc147b85924b42cf2cb5b6e0c1c5cec1a472fddf4166774583649c6b07c25

SHA512
b3e3c3d31e8c8aa1bb119512f9ad82b1f8d3065f31e4dfe445a074f5ea5d0ea78ccc3bf53cc6b4d9dc28c53c3462a5ea8ee5420502bfb0ca67116c9c67638f1e

Download Submit
memory/1988-181-0x00000000747F1000-0x00000000747F3000-memory.dmp

Filesize
8KB

Download
memory/1988-125-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads