3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e

Analysis

max time kernel
63s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
Size

72KB
MD5

414b4f9609ec4e2accd307ddd0f5bbe3
SHA1

3a3088ddebb3a1da8d2f64ac80625e84a687f167
SHA256

3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e
SHA512

8ee876af79ffbc1bf42c10ad6b09252f3cb8db2a46bcf6bf5ec3045e6a656c3f0104767eeed0d9c832f6a5a142ae76e7015f5364e081775c0ac97af16b623c76
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2j:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrMu

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 63 IoCs

pid	Process
976	backup.exe
1396	backup.exe
1128	backup.exe
1052	backup.exe
760	backup.exe
1476	backup.exe
1312	backup.exe
684	backup.exe
1744	backup.exe
1480	backup.exe
1988	backup.exe
1624	System Restore.exe
1608	backup.exe
1616	backup.exe
1376	backup.exe
1576	backup.exe
1156	backup.exe
1484	backup.exe
1704	backup.exe
572	backup.exe
1380	backup.exe
676	backup.exe
968	data.exe
1680	backup.exe
2016	backup.exe
288	backup.exe
1284	backup.exe
1072	backup.exe
1832	backup.exe
108	backup.exe
1964	backup.exe
816	backup.exe
1084	backup.exe
440	backup.exe
1148	backup.exe
2012	backup.exe
1540	backup.exe
1464	backup.exe
1136	backup.exe
1252	backup.exe
1296	backup.exe
1916	backup.exe
840	backup.exe
1308	backup.exe
1872	backup.exe
468	backup.exe
2024	backup.exe
1932	backup.exe
1708	backup.exe
1332	backup.exe
988	backup.exe
1572	backup.exe
1156	backup.exe
1040	backup.exe
1380	backup.exe
1072	backup.exe
1832	backup.exe
968	update.exe
1680	backup.exe
2016	backup.exe
816	backup.exe
288	backup.exe
1084	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
684	backup.exe
684	backup.exe
1744	backup.exe
1744	backup.exe
684	backup.exe
684	backup.exe
1988	backup.exe
1988	backup.exe
1624	System Restore.exe
1624	System Restore.exe
1988	backup.exe
1988	backup.exe
1616	backup.exe
1616	backup.exe
1376	backup.exe
1376	backup.exe
1376	backup.exe
1376	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1488	backup.exe
1376	backup.exe
1376	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe
1284	backup.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
976	backup.exe
1396	backup.exe
1128	backup.exe
1052	backup.exe
760	backup.exe
1476	backup.exe
1312	backup.exe
684	backup.exe
1744	backup.exe
1480	backup.exe
1988	backup.exe
1624	System Restore.exe
1608	backup.exe
1616	backup.exe
1376	backup.exe
1576	backup.exe
612	backup.exe
1700	data.exe
1696	backup.exe
1452	backup.exe
1104	backup.exe
2040	backup.exe
2044	backup.exe
1468	backup.exe
1132	backup.exe
1336	data.exe
1332	backup.exe
1488	backup.exe
1484	backup.exe
1704	backup.exe
572	backup.exe
1380	backup.exe
676	backup.exe
968	data.exe
1680	backup.exe
2016	backup.exe
288	backup.exe
1148	backup.exe
2000	data.exe
2012	backup.exe
276	backup.exe
1956	backup.exe
956	backup.exe
744	backup.exe
1960	backup.exe
1916	backup.exe
836	backup.exe
1308	backup.exe
840	backup.exe
1008	backup.exe
1764	backup.exe
964	backup.exe
1876	backup.exe
1632	backup.exe
1164	backup.exe
1640	backup.exe
988	backup.exe
1592	backup.exe
1312	backup.exe
540	backup.exe
1572	backup.exe
1040	data.exe
1284	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 976	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	28
PID 1968 wrote to memory of 976	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	28
PID 1968 wrote to memory of 976	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	28
PID 1968 wrote to memory of 976	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	28
PID 1968 wrote to memory of 1396	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	29
PID 1968 wrote to memory of 1396	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	29
PID 1968 wrote to memory of 1396	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	29
PID 1968 wrote to memory of 1396	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	29
PID 1968 wrote to memory of 1128	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	30
PID 1968 wrote to memory of 1128	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	30
PID 1968 wrote to memory of 1128	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	30
PID 1968 wrote to memory of 1128	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	30
PID 1968 wrote to memory of 1052	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	31
PID 1968 wrote to memory of 1052	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	31
PID 1968 wrote to memory of 1052	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	31
PID 1968 wrote to memory of 1052	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	31
PID 1968 wrote to memory of 760	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	32
PID 1968 wrote to memory of 760	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	32
PID 1968 wrote to memory of 760	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	32
PID 1968 wrote to memory of 760	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	32
PID 1968 wrote to memory of 1476	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	33
PID 1968 wrote to memory of 1476	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	33
PID 1968 wrote to memory of 1476	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	33
PID 1968 wrote to memory of 1476	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	33
PID 1968 wrote to memory of 1312	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	34
PID 1968 wrote to memory of 1312	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	34
PID 1968 wrote to memory of 1312	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	34
PID 1968 wrote to memory of 1312	1968	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe	34
PID 976 wrote to memory of 684	976	backup.exe	35
PID 976 wrote to memory of 684	976	backup.exe	35
PID 976 wrote to memory of 684	976	backup.exe	35
PID 976 wrote to memory of 684	976	backup.exe	35
PID 684 wrote to memory of 1744	684	backup.exe	36
PID 684 wrote to memory of 1744	684	backup.exe	36
PID 684 wrote to memory of 1744	684	backup.exe	36
PID 684 wrote to memory of 1744	684	backup.exe	36
PID 1744 wrote to memory of 1480	1744	backup.exe	37
PID 1744 wrote to memory of 1480	1744	backup.exe	37
PID 1744 wrote to memory of 1480	1744	backup.exe	37
PID 1744 wrote to memory of 1480	1744	backup.exe	37
PID 684 wrote to memory of 1988	684	backup.exe	38
PID 684 wrote to memory of 1988	684	backup.exe	38
PID 684 wrote to memory of 1988	684	backup.exe	38
PID 684 wrote to memory of 1988	684	backup.exe	38
PID 1988 wrote to memory of 1624	1988	backup.exe	39
PID 1988 wrote to memory of 1624	1988	backup.exe	39
PID 1988 wrote to memory of 1624	1988	backup.exe	39
PID 1988 wrote to memory of 1624	1988	backup.exe	39
PID 1624 wrote to memory of 1608	1624	System Restore.exe	40
PID 1624 wrote to memory of 1608	1624	System Restore.exe	40
PID 1624 wrote to memory of 1608	1624	System Restore.exe	40
PID 1624 wrote to memory of 1608	1624	System Restore.exe	40
PID 1988 wrote to memory of 1616	1988	backup.exe	41
PID 1988 wrote to memory of 1616	1988	backup.exe	41
PID 1988 wrote to memory of 1616	1988	backup.exe	41
PID 1988 wrote to memory of 1616	1988	backup.exe	41
PID 1616 wrote to memory of 1376	1616	backup.exe	42
PID 1616 wrote to memory of 1376	1616	backup.exe	42
PID 1616 wrote to memory of 1376	1616	backup.exe	42
PID 1616 wrote to memory of 1376	1616	backup.exe	42
PID 1376 wrote to memory of 1576	1376	backup.exe	43
PID 1376 wrote to memory of 1576	1376	backup.exe	43
PID 1376 wrote to memory of 1576	1376	backup.exe	43
PID 1376 wrote to memory of 1576	1376	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe
"C:\Users\Admin\AppData\Local\Temp\3de2a009fadeb4d7ad33c362b5772fb0b3c6bd2a0da52ee954105038660c738e.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968
- C:\Users\Admin\AppData\Local\Temp\4166421856\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4166421856\backup.exe C:\Users\Admin\AppData\Local\Temp\4166421856\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:976
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:684
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1744
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1988
    - - C:\Program Files\7-Zip\System Restore.exe
        
        "C:\Program Files\7-Zip\System Restore.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1624
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1616
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:440
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1296
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1536
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1252
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        
        PID:1832
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1380
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1740
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1468
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1704
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1272
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1540
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:840
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1620
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:756
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1908
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1552
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        
        PID:1916
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        
        PID:1332
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1008
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        
        PID:288
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:612
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1676
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1112
      - C:\Program Files\Microsoft Office\Office14\update.exe
        
        "C:\Program Files\Microsoft Office\Office14\update.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1488
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1752
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:596
    - - C:\Program Files\Reference Assemblies\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\System Restore.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1044
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1148
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2012
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:820
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1708
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        
        PID:1040
      - C:\Program Files (x86)\Common Files\Adobe AIR\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:440
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:856
      - C:\Program Files (x86)\Common Files\Services\update.exe
        
        "C:\Program Files (x86)\Common Files\Services\update.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1596
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:848
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1696
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Executes dropped EXE
        
        PID:816
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:892
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1068
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1616
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1744
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1480
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1952
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1668
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      System policy modification
      PID:1932
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        
        PID:968
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        
        PID:956
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      PID:2016
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:760
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
3e1e7cffd854732029b373210bf4ef68

SHA1
88f38fc1e3030e5a9183ef338fdd0ba46885be5f

SHA256
6a4ee9a310b33fe7ee8952078a11d40372966931352a086104de17974e621c67

SHA512
da26c01e2666e0b2d90f6aa5b545756d58a8cb3a88152fa93e40c11ddefe4deb8ea5c8cc7f07d4605389712ebde2d996fe2cb47780d9d794f9d97afee253bfc5

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
504dd18302a8c7d93fcabfd89bf61790

SHA1
0b689e741d5ca2cc01944207a9f19a4754f06890

SHA256
1e54fd0f139af33566f4a1ceba5acdeb7e95bea1085529681a00e5823eb0a361

SHA512
937d8541047d1a176e6b7f65300be2d50b54684da932ad177098223df81e299bc2c57590e220b05f4b97b9371c91aaf63ed5e333ff024888711e11a9c8955a8e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
504dd18302a8c7d93fcabfd89bf61790

SHA1
0b689e741d5ca2cc01944207a9f19a4754f06890

SHA256
1e54fd0f139af33566f4a1ceba5acdeb7e95bea1085529681a00e5823eb0a361

SHA512
937d8541047d1a176e6b7f65300be2d50b54684da932ad177098223df81e299bc2c57590e220b05f4b97b9371c91aaf63ed5e333ff024888711e11a9c8955a8e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
3c10a41a68032ead05df1ad6ea1c396d

SHA1
009e3feacb8daf097fd74e03b674363a32c09b36

SHA256
6ded055edbd89fe339798af996be47bd037ae3e04abcda331a295fde9e73a0be

SHA512
98a8b0fbad77cba56e4ca795412ab6d7ed0164db2d86c3d415d2ffdf917db8c0549b148d16d9ea190028ea72f791e38f24beb415fa9e2f08e98d311fdfef913a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
3c10a41a68032ead05df1ad6ea1c396d

SHA1
009e3feacb8daf097fd74e03b674363a32c09b36

SHA256
6ded055edbd89fe339798af996be47bd037ae3e04abcda331a295fde9e73a0be

SHA512
98a8b0fbad77cba56e4ca795412ab6d7ed0164db2d86c3d415d2ffdf917db8c0549b148d16d9ea190028ea72f791e38f24beb415fa9e2f08e98d311fdfef913a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4166421856\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4166421856\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0157dc2bdbdcd1dd73b5c61f17b6b377

SHA1
ba30095b4e3e58793a2801066830506be2fb6915

SHA256
2d00a864b7d5f5d5910cc44f13f60ed40cc0e5c5dc8e4b02bb3f6e601e837c93

SHA512
3c433514e865f03f91d94ba99cfa3be9c18e5dc8de8434291243074f3701fd530c915feeb0bb619366a6b23a57ac8b4669231629874f1547ba24ee9001cf0408

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0157dc2bdbdcd1dd73b5c61f17b6b377

SHA1
ba30095b4e3e58793a2801066830506be2fb6915

SHA256
2d00a864b7d5f5d5910cc44f13f60ed40cc0e5c5dc8e4b02bb3f6e601e837c93

SHA512
3c433514e865f03f91d94ba99cfa3be9c18e5dc8de8434291243074f3701fd530c915feeb0bb619366a6b23a57ac8b4669231629874f1547ba24ee9001cf0408

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
3e1e7cffd854732029b373210bf4ef68

SHA1
88f38fc1e3030e5a9183ef338fdd0ba46885be5f

SHA256
6a4ee9a310b33fe7ee8952078a11d40372966931352a086104de17974e621c67

SHA512
da26c01e2666e0b2d90f6aa5b545756d58a8cb3a88152fa93e40c11ddefe4deb8ea5c8cc7f07d4605389712ebde2d996fe2cb47780d9d794f9d97afee253bfc5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
3e1e7cffd854732029b373210bf4ef68

SHA1
88f38fc1e3030e5a9183ef338fdd0ba46885be5f

SHA256
6a4ee9a310b33fe7ee8952078a11d40372966931352a086104de17974e621c67

SHA512
da26c01e2666e0b2d90f6aa5b545756d58a8cb3a88152fa93e40c11ddefe4deb8ea5c8cc7f07d4605389712ebde2d996fe2cb47780d9d794f9d97afee253bfc5

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
3c36034a121c227c705cfb911a15b29b

SHA1
9c1aa2b90677f1d70ca207169695562296bd6920

SHA256
c2181f0a251c526a6e82cdb5f3f13396203b35725f8b7c1e37c0b7fbf73e49e2

SHA512
0c2e8b5c97aaae41c28f50010effc00b866f7e47aaabb835c33a2a1f772cc2cc6284b1b47ee2449c6860482d069e465775ec9d503e1e578a8a73f49429fc38d9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
504dd18302a8c7d93fcabfd89bf61790

SHA1
0b689e741d5ca2cc01944207a9f19a4754f06890

SHA256
1e54fd0f139af33566f4a1ceba5acdeb7e95bea1085529681a00e5823eb0a361

SHA512
937d8541047d1a176e6b7f65300be2d50b54684da932ad177098223df81e299bc2c57590e220b05f4b97b9371c91aaf63ed5e333ff024888711e11a9c8955a8e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
504dd18302a8c7d93fcabfd89bf61790

SHA1
0b689e741d5ca2cc01944207a9f19a4754f06890

SHA256
1e54fd0f139af33566f4a1ceba5acdeb7e95bea1085529681a00e5823eb0a361

SHA512
937d8541047d1a176e6b7f65300be2d50b54684da932ad177098223df81e299bc2c57590e220b05f4b97b9371c91aaf63ed5e333ff024888711e11a9c8955a8e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
61c39b827a94a2c2b37a508d103a2e7c

SHA1
95d698ec42700700586379eba2ae56665f30798e

SHA256
7b9a55674fe38cc5c22c6a770cfe175e6ccd3661fb93ebf878d1e28eae6eed9f

SHA512
e03bd2740004dd277f20babe7371c87de9c0937afa84ffe4f9982681c18b299f72a7476f27450506affd9900c0f0a66451cd35eb70422b18014148b67322d1b7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
7b80c796d31659de62e84090ce782a78

SHA1
4b0f695d33c332eb4fee511d44dbaa87e8a82ab4

SHA256
22cf6a46715ef4608bbfe2094d657b987cd4437be15b4d0569d83b8b6a18209d

SHA512
0f080e77eb35a4d11eafcd2372d02bb6fe64e1dc7a51749cb92cbc85859ccce5422d1b8ba2dc2646ba3f9e551ee3f6e62926bc16c25d73344fee8f3932d4360f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
3c10a41a68032ead05df1ad6ea1c396d

SHA1
009e3feacb8daf097fd74e03b674363a32c09b36

SHA256
6ded055edbd89fe339798af996be47bd037ae3e04abcda331a295fde9e73a0be

SHA512
98a8b0fbad77cba56e4ca795412ab6d7ed0164db2d86c3d415d2ffdf917db8c0549b148d16d9ea190028ea72f791e38f24beb415fa9e2f08e98d311fdfef913a

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
3c10a41a68032ead05df1ad6ea1c396d

SHA1
009e3feacb8daf097fd74e03b674363a32c09b36

SHA256
6ded055edbd89fe339798af996be47bd037ae3e04abcda331a295fde9e73a0be

SHA512
98a8b0fbad77cba56e4ca795412ab6d7ed0164db2d86c3d415d2ffdf917db8c0549b148d16d9ea190028ea72f791e38f24beb415fa9e2f08e98d311fdfef913a

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
1f9851f1adec8ac318f6287beb476b6e

SHA1
944091ed832068c48b4215ae59fdd972bf61250e

SHA256
0e268e75b3ca67689097553d636d325cbb54f05b37ed3dbeee1cef8198d2430f

SHA512
484348728b30a97673f7c0ba77437a766358977fc1a5ceb8a74feae3411153a2b04ff9054bc0c61aab6d50b7d61151e753c5cc3cf5623ff2cb50160939d83dd8

Download Submit
\Users\Admin\AppData\Local\Temp\4166421856\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\4166421856\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6d2cc9b097e17571606a32ebb113d7f5

SHA1
29b0a40167d7ed9ad88cba81be0491e20e4091be

SHA256
f8e648d928982defcb010e513831b550fb6a36862a2f6f7e77214c92a96f46f1

SHA512
f58d0ec395070529a297287eea66132bfbaac36a7af8bf53bfecd823c36d59bbe6d789a54b02982269e1b76553404664f0fc36210710dd4398b6c21711fd50a2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a314d72cb7b6b82ea74f930b6df02f7e

SHA1
870f221e069e7872f99505fac8972bab611b9e6a

SHA256
e9893bb224d9b68209077b731c9f68221eb00333d176545a67962d12d1194b9d

SHA512
baf855da2d58b7ef4eced1f82202c9b749e970b65564b4dc25cd63a9d727ade64f02a6bca25a8e802e593718bbd83cb0dbfdcf743ec5f8d34d01e043c5e7260c

Download Submit
memory/1968-131-0x0000000074C31000-0x0000000074C33000-memory.dmp

Filesize
8KB

Download
memory/1968-98-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads