1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
Size

72KB
MD5

a01e511c6a83f5555f959081fd094862
SHA1

bdac5f5a36876ea536452b3a10de48691f6a1d62
SHA256

1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca
SHA512

1c413ea9d1e27eef9040a692b6f94463627ea4b3f8bbe4df11ff79a228e925477fa1189faf56403c85f39d277e4149df8c4d043036db547332b790588808ddbb
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2S:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr+

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1472	backup.exe
1108	backup.exe
1804	backup.exe
972	backup.exe
1764	backup.exe
1816	backup.exe
1708	backup.exe
544	backup.exe
272	backup.exe
1092	backup.exe
1164	backup.exe
1580	backup.exe
604	backup.exe
1484	backup.exe
1660	backup.exe
1632	backup.exe
1692	backup.exe
1100	backup.exe
1564	backup.exe
1144	backup.exe
1940	backup.exe
792	backup.exe
1724	backup.exe
1700	backup.exe
652	backup.exe
520	backup.exe
380	backup.exe
1708	backup.exe
1732	update.exe
432	update.exe
976	backup.exe
544	backup.exe
1688	backup.exe
1972	backup.exe
1616	backup.exe
1736	backup.exe
1728	backup.exe
1284	backup.exe
1640	backup.exe
1676	backup.exe
532	backup.exe
860	backup.exe
1628	backup.exe
1376	backup.exe
836	backup.exe
1712	backup.exe
1596	backup.exe
1936	update.exe
1144	backup.exe
792	backup.exe
1740	backup.exe
1560	backup.exe
1604	backup.exe
1816	data.exe
1672	update.exe
1752	backup.exe
1204	backup.exe
932	backup.exe
1008	backup.exe
1844	backup.exe
900	backup.exe
1512	backup.exe
1736	backup.exe
1728	update.exe

Loads dropped DLL 64 IoCs

pid	Process
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1804	backup.exe
1804	backup.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
972	backup.exe
972	backup.exe
1804	backup.exe
1804	backup.exe
272	backup.exe
272	backup.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1092	backup.exe
1092	backup.exe
272	backup.exe
272	backup.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
604	backup.exe
604	backup.exe
1660	backup.exe
1660	backup.exe
1660	backup.exe
1660	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1804	backup.exe
1804	backup.exe
604	backup.exe
1692	backup.exe
1700	backup.exe
272	backup.exe
1660	backup.exe
1700	backup.exe
272	backup.exe
1660	backup.exe
652	backup.exe
652	backup.exe
380	backup.exe
520	backup.exe
380	backup.exe
520	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\update.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\System Restore.exe	update.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
1472	backup.exe
1108	backup.exe
1804	backup.exe
972	backup.exe
1764	backup.exe
1816	backup.exe
1708	backup.exe
544	backup.exe
272	backup.exe
1092	backup.exe
1580	backup.exe
1164	backup.exe
604	backup.exe
1484	backup.exe
1660	backup.exe
1632	backup.exe
1692	backup.exe
1100	backup.exe
1564	backup.exe
1144	backup.exe
1940	backup.exe
792	backup.exe
1724	backup.exe
1700	backup.exe
652	backup.exe
520	backup.exe
380	backup.exe
1708	backup.exe
976	backup.exe
544	backup.exe
1688	backup.exe
1972	backup.exe
1616	backup.exe
1736	backup.exe
1728	backup.exe
1284	backup.exe
1640	backup.exe
1676	backup.exe
532	backup.exe
860	backup.exe
1628	backup.exe
1376	backup.exe
836	backup.exe
432	update.exe
1732	update.exe
1712	backup.exe
1596	backup.exe
1936	update.exe
1144	backup.exe
1740	backup.exe
1560	backup.exe
792	backup.exe
1604	backup.exe
1816	data.exe
1204	backup.exe
1008	backup.exe
932	backup.exe
1752	backup.exe
1672	update.exe
1844	backup.exe
900	backup.exe
1512	backup.exe
1736	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1472	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	26
PID 1388 wrote to memory of 1472	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	26
PID 1388 wrote to memory of 1472	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	26
PID 1388 wrote to memory of 1472	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	26
PID 1388 wrote to memory of 1108	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	27
PID 1388 wrote to memory of 1108	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	27
PID 1388 wrote to memory of 1108	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	27
PID 1388 wrote to memory of 1108	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	27
PID 1472 wrote to memory of 1804	1472	backup.exe	28
PID 1472 wrote to memory of 1804	1472	backup.exe	28
PID 1472 wrote to memory of 1804	1472	backup.exe	28
PID 1472 wrote to memory of 1804	1472	backup.exe	28
PID 1804 wrote to memory of 972	1804	backup.exe	29
PID 1804 wrote to memory of 972	1804	backup.exe	29
PID 1804 wrote to memory of 972	1804	backup.exe	29
PID 1804 wrote to memory of 972	1804	backup.exe	29
PID 1388 wrote to memory of 1764	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	30
PID 1388 wrote to memory of 1764	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	30
PID 1388 wrote to memory of 1764	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	30
PID 1388 wrote to memory of 1764	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	30
PID 1388 wrote to memory of 1816	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	31
PID 1388 wrote to memory of 1816	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	31
PID 1388 wrote to memory of 1816	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	31
PID 1388 wrote to memory of 1816	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	31
PID 1388 wrote to memory of 1708	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	32
PID 1388 wrote to memory of 1708	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	32
PID 1388 wrote to memory of 1708	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	32
PID 1388 wrote to memory of 1708	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	32
PID 972 wrote to memory of 544	972	backup.exe	33
PID 972 wrote to memory of 544	972	backup.exe	33
PID 972 wrote to memory of 544	972	backup.exe	33
PID 972 wrote to memory of 544	972	backup.exe	33
PID 1804 wrote to memory of 272	1804	backup.exe	34
PID 1804 wrote to memory of 272	1804	backup.exe	34
PID 1804 wrote to memory of 272	1804	backup.exe	34
PID 1804 wrote to memory of 272	1804	backup.exe	34
PID 272 wrote to memory of 1092	272	backup.exe	35
PID 272 wrote to memory of 1092	272	backup.exe	35
PID 272 wrote to memory of 1092	272	backup.exe	35
PID 272 wrote to memory of 1092	272	backup.exe	35
PID 1388 wrote to memory of 1164	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	36
PID 1388 wrote to memory of 1164	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	36
PID 1388 wrote to memory of 1164	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	36
PID 1388 wrote to memory of 1164	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	36
PID 1092 wrote to memory of 1580	1092	backup.exe	37
PID 1092 wrote to memory of 1580	1092	backup.exe	37
PID 1092 wrote to memory of 1580	1092	backup.exe	37
PID 1092 wrote to memory of 1580	1092	backup.exe	37
PID 272 wrote to memory of 604	272	backup.exe	38
PID 272 wrote to memory of 604	272	backup.exe	38
PID 272 wrote to memory of 604	272	backup.exe	38
PID 272 wrote to memory of 604	272	backup.exe	38
PID 1388 wrote to memory of 1484	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	39
PID 1388 wrote to memory of 1484	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	39
PID 1388 wrote to memory of 1484	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	39
PID 1388 wrote to memory of 1484	1388	1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe	39
PID 604 wrote to memory of 1660	604	backup.exe	40
PID 604 wrote to memory of 1660	604	backup.exe	40
PID 604 wrote to memory of 1660	604	backup.exe	40
PID 604 wrote to memory of 1660	604	backup.exe	40
PID 1660 wrote to memory of 1632	1660	backup.exe	41
PID 1660 wrote to memory of 1632	1660	backup.exe	41
PID 1660 wrote to memory of 1632	1660	backup.exe	41
PID 1660 wrote to memory of 1632	1660	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe
"C:\Users\Admin\AppData\Local\Temp\1df354856fc2ad77f3f3c7f8e7da2242a1945b722b8b633f88133bbabadfefca.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\2162870723\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2162870723\backup.exe C:\Users\Admin\AppData\Local\Temp\2162870723\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1472
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:272
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1580
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2488
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1612
      - C:\Program Files\Common Files\Services\update.exe
        
        "C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:900
      - C:\Program Files\Common Files\System\update.exe
        
        "C:\Program Files\Common Files\System\update.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1100
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\System\ado\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1860
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1128
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1056
        
        C:\Program Files\Common Files\System\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:532
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1172
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:888
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1376
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2148
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2288
        
        C:\Program Files\Common Files\System\msadc\update.exe
        
        "C:\Program Files\Common Files\System\msadc\update.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2460
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:792
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:556
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:860
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1352
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1208
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1248
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1004
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1640
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2172
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2332
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2544
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1832
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:828
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1812
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:452
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1052
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2220
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:2388
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1816
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1364
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:544
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:692
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1484
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:892
    - - C:\Program Files\Mozilla Firefox\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\System Restore.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2140
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2296
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2468
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1700
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:652
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:1284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        
        PID:764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:2256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:380
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Disables RegEdit via registry modification
        
        PID:956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1724
    - - C:\Program Files (x86)\Common Files\update.exe
        
        "C:\Program Files (x86)\Common Files\update.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:836
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1092
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1712
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1112
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2156
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2340
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1964
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:468
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2264
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2352
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1952
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2416
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1872
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2164
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2320
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2536
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1596
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1536
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:948
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1976
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1996
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1308
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:900
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1732
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1160
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:860
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2228
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2380
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:924
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2212
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2312
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2476
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:980
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0dd29c4f4f384c3c58f8390295fd2705

SHA1
e15f2eef978b68b660091837152f49b7fa764ed7

SHA256
514f2d9ca12173623d2016d3efd4d6b184a7cdfc8ddcbaca8a2d8f60992e8c04

SHA512
a31f65b9e8081341738f3273b81b7e4bbacbd6e0cd1596348d3f7539d96f50e9f7730d07144fd89f9d4db8970619d57890445cb170788e809f527f10f1d38461

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7795c2c432dcde88a63905a7b06a0ea6

SHA1
b5162cf784821c8d46f2d2091f704cac79ea8fc7

SHA256
cee15edc4fefe6ac80ee68697e3c3a2ddeed4b95cd5855e64664aa190e3bb46d

SHA512
7e9e0e368dfa525303370685a2062e7c667146b00dea3b18e20e90f2959a2f1fddac306a11a0145d4907da68f890f34593d55336a8214623f7434d023fcdd236

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7795c2c432dcde88a63905a7b06a0ea6

SHA1
b5162cf784821c8d46f2d2091f704cac79ea8fc7

SHA256
cee15edc4fefe6ac80ee68697e3c3a2ddeed4b95cd5855e64664aa190e3bb46d

SHA512
7e9e0e368dfa525303370685a2062e7c667146b00dea3b18e20e90f2959a2f1fddac306a11a0145d4907da68f890f34593d55336a8214623f7434d023fcdd236

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9ee8916e58cdd24ce07f6c3fc237f6d2

SHA1
57f029127f245880c3894bd0f6ad082b23b945fc

SHA256
2ce2a2f2e5c876104f3b2ac4c4bcc2cd7c4a348a1606640bb2e0373a0acbadf9

SHA512
dccbbbd6cac17af1e60f40008cd694b3c4198240d7deb530ec65d9ee0e7c741256a2490605ba9e0947424012bc32109b0a6932d8a7040f096e7dcbb34a9cd924

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caee1e7f2f0b28e3c43d689d8c878539

SHA1
9ca87d165ec1eeac037c7f04e21d843dea9241ed

SHA256
efaf5fe79fdd85089ed9a51ad3f02dd5dbb9af0d880407ec0127a001c8d1d559

SHA512
14edb8d454968409e529c9572070eca6da2836c0633229defb4a1dfc2ff1747d3d477b97fb75ee5f5d0555e73b68b32ef8fc8f96c74aa8fa9336ec77cbdb22d9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caee1e7f2f0b28e3c43d689d8c878539

SHA1
9ca87d165ec1eeac037c7f04e21d843dea9241ed

SHA256
efaf5fe79fdd85089ed9a51ad3f02dd5dbb9af0d880407ec0127a001c8d1d559

SHA512
14edb8d454968409e529c9572070eca6da2836c0633229defb4a1dfc2ff1747d3d477b97fb75ee5f5d0555e73b68b32ef8fc8f96c74aa8fa9336ec77cbdb22d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
91179057cf3d959417acf740cc04a321

SHA1
86fbc7c3485bb71f89b8f4d75f5eb24aa83f58ff

SHA256
597a81d90a0d8a63beb50a6456dfcb4fc636a92ad58a268ee15f25dddc5cdd45

SHA512
7f5c5968a168f9da80a276038dddf989994e5c9cfce8424a8090a2b9f151bd433ce5640858a0e91155ef400a574c850a31009a74bea591ac6c66b1771380d738

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
91179057cf3d959417acf740cc04a321

SHA1
86fbc7c3485bb71f89b8f4d75f5eb24aa83f58ff

SHA256
597a81d90a0d8a63beb50a6456dfcb4fc636a92ad58a268ee15f25dddc5cdd45

SHA512
7f5c5968a168f9da80a276038dddf989994e5c9cfce8424a8090a2b9f151bd433ce5640858a0e91155ef400a574c850a31009a74bea591ac6c66b1771380d738

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
26fcbc177f3f5ce707e535fe43221a42

SHA1
bd70aabd12aaa84253b591db43a8e0a9212d443b

SHA256
4389ac2ec9bbe19439ae5a9fc9dd4fb825bd87ec290c8b989c837794cf15a3b9

SHA512
309171f3b0b8534b749dbb0135d44f1a87bca27160d8390aea0fb4027ecd75bcb977c160fe54f943311bd472d62e4e14383e241f8910b62482a77a04ec5d9a00

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
11df626bc0cfce10eb3c5d0f20a67fca

SHA1
1b7b3131897d12d791515898fb9b63753a66c0f7

SHA256
fa810cdb42e873036748d86fae821739a44881e48f8ffd9a797c195facba9653

SHA512
e89944dbe393fa2c2124e553a0a1f58092eb56e20e6d9c5cde63dbd6cf14d261cf1ff98980ca6f61ce03fa556e0c0c9cf31114f7b29704256a355a348807e702

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cbcd3c05fd0c9ac92005e904c554d0c

SHA1
3641c09b850bbae6f64ee7fa0840cb3acd2d7b8a

SHA256
f4c32e5382b3b42d06f4345d7b4468f1900a44267aadbe980eacffe3804c89dd

SHA512
29e03c00937ccec928ebf71e1519f99bf3b0c6c358c281d24a44d99ff9e0698b160d285862c1e657e740c1168e5bed2a10dca161d98d731cadb2f58dcab9f3ef

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cbcd3c05fd0c9ac92005e904c554d0c

SHA1
3641c09b850bbae6f64ee7fa0840cb3acd2d7b8a

SHA256
f4c32e5382b3b42d06f4345d7b4468f1900a44267aadbe980eacffe3804c89dd

SHA512
29e03c00937ccec928ebf71e1519f99bf3b0c6c358c281d24a44d99ff9e0698b160d285862c1e657e740c1168e5bed2a10dca161d98d731cadb2f58dcab9f3ef

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
24dc2550dcd35e5ff43f53766abf8a08

SHA1
338f5692b596071ad485b2e898dfe1c27d191b29

SHA256
69db40723526b73fef3c7579605ebe694e7f33747953d36d6dbc963cb931b383

SHA512
12ed82330ebea666129dfa0c0456c21933a226585d67700c2b30c10e2ade0f3e16004617ef9fb6ffe3d508d6283740e0e21b7457d311116a963c9b6da187e393

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
24dc2550dcd35e5ff43f53766abf8a08

SHA1
338f5692b596071ad485b2e898dfe1c27d191b29

SHA256
69db40723526b73fef3c7579605ebe694e7f33747953d36d6dbc963cb931b383

SHA512
12ed82330ebea666129dfa0c0456c21933a226585d67700c2b30c10e2ade0f3e16004617ef9fb6ffe3d508d6283740e0e21b7457d311116a963c9b6da187e393

Download Submit
C:\Users\Admin\AppData\Local\Temp\2162870723\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\2162870723\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4f072b2adfea4959fa3bca34564fdc3d

SHA1
f50143fcee42ba4cbf2e1841512f342e1e1838b4

SHA256
3e68c63b42b553e133cfe2daae09bc426293e56c9441522e8f7e5278f552a934

SHA512
4f9716df7e15c0128052e753f4a9b29ccb3437be57677259ff9e3eae1e0c0baf5e18e085d1b67eabb6706d3bceb85ee0614ff1db3b6d01a33555b42f77ae656e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b7c78d8df9208662ef97ae08bcf087f7

SHA1
72babc15a1fd4ccd9a86f30b6ed5440ff2d0bae5

SHA256
a4837b7fde626873510ff09bd08fbcd85395baf9258e6f853d2dacbe7ec5ae55

SHA512
26f61d07b8d2fd5f2020939e9aa392688939ef63f47b92cef426b848573a525ce5a8698edf7566fb286ad12cf1d300701f3dfe44d741fa2edf033373c9908324

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4cd3ffbb80ef2e1606eee79bccfa1e9c

SHA1
9f639a8e1ef321491ce5d40614ac102cf5e0281a

SHA256
e8e9a039098f8ae3e953a1e2d8f463e31248c9e950c677a7511334b3bcd27a9a

SHA512
3c637638478f1d278e3aa1bb235bd26183aa393ae13689b7fa3ceb2d035db0201f83649344ebdf23b18d30d197849037d9efdca35409bf63aa333ac1ac35e02b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4cd3ffbb80ef2e1606eee79bccfa1e9c

SHA1
9f639a8e1ef321491ce5d40614ac102cf5e0281a

SHA256
e8e9a039098f8ae3e953a1e2d8f463e31248c9e950c677a7511334b3bcd27a9a

SHA512
3c637638478f1d278e3aa1bb235bd26183aa393ae13689b7fa3ceb2d035db0201f83649344ebdf23b18d30d197849037d9efdca35409bf63aa333ac1ac35e02b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0dd29c4f4f384c3c58f8390295fd2705

SHA1
e15f2eef978b68b660091837152f49b7fa764ed7

SHA256
514f2d9ca12173623d2016d3efd4d6b184a7cdfc8ddcbaca8a2d8f60992e8c04

SHA512
a31f65b9e8081341738f3273b81b7e4bbacbd6e0cd1596348d3f7539d96f50e9f7730d07144fd89f9d4db8970619d57890445cb170788e809f527f10f1d38461

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0dd29c4f4f384c3c58f8390295fd2705

SHA1
e15f2eef978b68b660091837152f49b7fa764ed7

SHA256
514f2d9ca12173623d2016d3efd4d6b184a7cdfc8ddcbaca8a2d8f60992e8c04

SHA512
a31f65b9e8081341738f3273b81b7e4bbacbd6e0cd1596348d3f7539d96f50e9f7730d07144fd89f9d4db8970619d57890445cb170788e809f527f10f1d38461

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7795c2c432dcde88a63905a7b06a0ea6

SHA1
b5162cf784821c8d46f2d2091f704cac79ea8fc7

SHA256
cee15edc4fefe6ac80ee68697e3c3a2ddeed4b95cd5855e64664aa190e3bb46d

SHA512
7e9e0e368dfa525303370685a2062e7c667146b00dea3b18e20e90f2959a2f1fddac306a11a0145d4907da68f890f34593d55336a8214623f7434d023fcdd236

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7795c2c432dcde88a63905a7b06a0ea6

SHA1
b5162cf784821c8d46f2d2091f704cac79ea8fc7

SHA256
cee15edc4fefe6ac80ee68697e3c3a2ddeed4b95cd5855e64664aa190e3bb46d

SHA512
7e9e0e368dfa525303370685a2062e7c667146b00dea3b18e20e90f2959a2f1fddac306a11a0145d4907da68f890f34593d55336a8214623f7434d023fcdd236

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9ee8916e58cdd24ce07f6c3fc237f6d2

SHA1
57f029127f245880c3894bd0f6ad082b23b945fc

SHA256
2ce2a2f2e5c876104f3b2ac4c4bcc2cd7c4a348a1606640bb2e0373a0acbadf9

SHA512
dccbbbd6cac17af1e60f40008cd694b3c4198240d7deb530ec65d9ee0e7c741256a2490605ba9e0947424012bc32109b0a6932d8a7040f096e7dcbb34a9cd924

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9ee8916e58cdd24ce07f6c3fc237f6d2

SHA1
57f029127f245880c3894bd0f6ad082b23b945fc

SHA256
2ce2a2f2e5c876104f3b2ac4c4bcc2cd7c4a348a1606640bb2e0373a0acbadf9

SHA512
dccbbbd6cac17af1e60f40008cd694b3c4198240d7deb530ec65d9ee0e7c741256a2490605ba9e0947424012bc32109b0a6932d8a7040f096e7dcbb34a9cd924

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caee1e7f2f0b28e3c43d689d8c878539

SHA1
9ca87d165ec1eeac037c7f04e21d843dea9241ed

SHA256
efaf5fe79fdd85089ed9a51ad3f02dd5dbb9af0d880407ec0127a001c8d1d559

SHA512
14edb8d454968409e529c9572070eca6da2836c0633229defb4a1dfc2ff1747d3d477b97fb75ee5f5d0555e73b68b32ef8fc8f96c74aa8fa9336ec77cbdb22d9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
caee1e7f2f0b28e3c43d689d8c878539

SHA1
9ca87d165ec1eeac037c7f04e21d843dea9241ed

SHA256
efaf5fe79fdd85089ed9a51ad3f02dd5dbb9af0d880407ec0127a001c8d1d559

SHA512
14edb8d454968409e529c9572070eca6da2836c0633229defb4a1dfc2ff1747d3d477b97fb75ee5f5d0555e73b68b32ef8fc8f96c74aa8fa9336ec77cbdb22d9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
91179057cf3d959417acf740cc04a321

SHA1
86fbc7c3485bb71f89b8f4d75f5eb24aa83f58ff

SHA256
597a81d90a0d8a63beb50a6456dfcb4fc636a92ad58a268ee15f25dddc5cdd45

SHA512
7f5c5968a168f9da80a276038dddf989994e5c9cfce8424a8090a2b9f151bd433ce5640858a0e91155ef400a574c850a31009a74bea591ac6c66b1771380d738

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
91179057cf3d959417acf740cc04a321

SHA1
86fbc7c3485bb71f89b8f4d75f5eb24aa83f58ff

SHA256
597a81d90a0d8a63beb50a6456dfcb4fc636a92ad58a268ee15f25dddc5cdd45

SHA512
7f5c5968a168f9da80a276038dddf989994e5c9cfce8424a8090a2b9f151bd433ce5640858a0e91155ef400a574c850a31009a74bea591ac6c66b1771380d738

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
26fcbc177f3f5ce707e535fe43221a42

SHA1
bd70aabd12aaa84253b591db43a8e0a9212d443b

SHA256
4389ac2ec9bbe19439ae5a9fc9dd4fb825bd87ec290c8b989c837794cf15a3b9

SHA512
309171f3b0b8534b749dbb0135d44f1a87bca27160d8390aea0fb4027ecd75bcb977c160fe54f943311bd472d62e4e14383e241f8910b62482a77a04ec5d9a00

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
26fcbc177f3f5ce707e535fe43221a42

SHA1
bd70aabd12aaa84253b591db43a8e0a9212d443b

SHA256
4389ac2ec9bbe19439ae5a9fc9dd4fb825bd87ec290c8b989c837794cf15a3b9

SHA512
309171f3b0b8534b749dbb0135d44f1a87bca27160d8390aea0fb4027ecd75bcb977c160fe54f943311bd472d62e4e14383e241f8910b62482a77a04ec5d9a00

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
53384a578884ce40d889ef126367fc00

SHA1
60859f7f8c1a0512db3e440a67f5e62845bca707

SHA256
9d577dc7f3bd1c1b265d9bcd3f333cf790c39940e19222c162d3502091bc0820

SHA512
121a2be0c73561b98212ec6e11c91088e56b8384f7589087f683a7e054d2c29dc0c014e30c491a8b574a50e9d085c7b540faeff370fb75f3b31c49ac6efc39aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
11df626bc0cfce10eb3c5d0f20a67fca

SHA1
1b7b3131897d12d791515898fb9b63753a66c0f7

SHA256
fa810cdb42e873036748d86fae821739a44881e48f8ffd9a797c195facba9653

SHA512
e89944dbe393fa2c2124e553a0a1f58092eb56e20e6d9c5cde63dbd6cf14d261cf1ff98980ca6f61ce03fa556e0c0c9cf31114f7b29704256a355a348807e702

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
11df626bc0cfce10eb3c5d0f20a67fca

SHA1
1b7b3131897d12d791515898fb9b63753a66c0f7

SHA256
fa810cdb42e873036748d86fae821739a44881e48f8ffd9a797c195facba9653

SHA512
e89944dbe393fa2c2124e553a0a1f58092eb56e20e6d9c5cde63dbd6cf14d261cf1ff98980ca6f61ce03fa556e0c0c9cf31114f7b29704256a355a348807e702

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
11df626bc0cfce10eb3c5d0f20a67fca

SHA1
1b7b3131897d12d791515898fb9b63753a66c0f7

SHA256
fa810cdb42e873036748d86fae821739a44881e48f8ffd9a797c195facba9653

SHA512
e89944dbe393fa2c2124e553a0a1f58092eb56e20e6d9c5cde63dbd6cf14d261cf1ff98980ca6f61ce03fa556e0c0c9cf31114f7b29704256a355a348807e702

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cbcd3c05fd0c9ac92005e904c554d0c

SHA1
3641c09b850bbae6f64ee7fa0840cb3acd2d7b8a

SHA256
f4c32e5382b3b42d06f4345d7b4468f1900a44267aadbe980eacffe3804c89dd

SHA512
29e03c00937ccec928ebf71e1519f99bf3b0c6c358c281d24a44d99ff9e0698b160d285862c1e657e740c1168e5bed2a10dca161d98d731cadb2f58dcab9f3ef

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5cbcd3c05fd0c9ac92005e904c554d0c

SHA1
3641c09b850bbae6f64ee7fa0840cb3acd2d7b8a

SHA256
f4c32e5382b3b42d06f4345d7b4468f1900a44267aadbe980eacffe3804c89dd

SHA512
29e03c00937ccec928ebf71e1519f99bf3b0c6c358c281d24a44d99ff9e0698b160d285862c1e657e740c1168e5bed2a10dca161d98d731cadb2f58dcab9f3ef

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
24dc2550dcd35e5ff43f53766abf8a08

SHA1
338f5692b596071ad485b2e898dfe1c27d191b29

SHA256
69db40723526b73fef3c7579605ebe694e7f33747953d36d6dbc963cb931b383

SHA512
12ed82330ebea666129dfa0c0456c21933a226585d67700c2b30c10e2ade0f3e16004617ef9fb6ffe3d508d6283740e0e21b7457d311116a963c9b6da187e393

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
24dc2550dcd35e5ff43f53766abf8a08

SHA1
338f5692b596071ad485b2e898dfe1c27d191b29

SHA256
69db40723526b73fef3c7579605ebe694e7f33747953d36d6dbc963cb931b383

SHA512
12ed82330ebea666129dfa0c0456c21933a226585d67700c2b30c10e2ade0f3e16004617ef9fb6ffe3d508d6283740e0e21b7457d311116a963c9b6da187e393

Download Submit
\Users\Admin\AppData\Local\Temp\2162870723\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
\Users\Admin\AppData\Local\Temp\2162870723\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4f072b2adfea4959fa3bca34564fdc3d

SHA1
f50143fcee42ba4cbf2e1841512f342e1e1838b4

SHA256
3e68c63b42b553e133cfe2daae09bc426293e56c9441522e8f7e5278f552a934

SHA512
4f9716df7e15c0128052e753f4a9b29ccb3437be57677259ff9e3eae1e0c0baf5e18e085d1b67eabb6706d3bceb85ee0614ff1db3b6d01a33555b42f77ae656e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4f072b2adfea4959fa3bca34564fdc3d

SHA1
f50143fcee42ba4cbf2e1841512f342e1e1838b4

SHA256
3e68c63b42b553e133cfe2daae09bc426293e56c9441522e8f7e5278f552a934

SHA512
4f9716df7e15c0128052e753f4a9b29ccb3437be57677259ff9e3eae1e0c0baf5e18e085d1b67eabb6706d3bceb85ee0614ff1db3b6d01a33555b42f77ae656e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b7c78d8df9208662ef97ae08bcf087f7

SHA1
72babc15a1fd4ccd9a86f30b6ed5440ff2d0bae5

SHA256
a4837b7fde626873510ff09bd08fbcd85395baf9258e6f853d2dacbe7ec5ae55

SHA512
26f61d07b8d2fd5f2020939e9aa392688939ef63f47b92cef426b848573a525ce5a8698edf7566fb286ad12cf1d300701f3dfe44d741fa2edf033373c9908324

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b7c78d8df9208662ef97ae08bcf087f7

SHA1
72babc15a1fd4ccd9a86f30b6ed5440ff2d0bae5

SHA256
a4837b7fde626873510ff09bd08fbcd85395baf9258e6f853d2dacbe7ec5ae55

SHA512
26f61d07b8d2fd5f2020939e9aa392688939ef63f47b92cef426b848573a525ce5a8698edf7566fb286ad12cf1d300701f3dfe44d741fa2edf033373c9908324

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e6d4bcb688785bf86cc96701cc7a4edf

SHA1
b3f0c327004c412d1a8ab741c82e25259b3db2dc

SHA256
acfe35ddc2f1cedc758e5e917551480ebbf9cbbc0ef7ddc99b510fc94de47944

SHA512
3d2b73fa316af0f9009a610f08ab68a58e1b29d0ee3c7f3d73c6a276f57064f58fc1ac7192b053b72800931f7a1aeb6af6401148e4acf7bc8df22777cc18ab60

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
93cc01563ee4d441e99f4a8e56403c75

SHA1
4e93121602a4c246952abd3fe5ed4595325b0601

SHA256
30dc2e5be642508731e38e2f1b2001739e0be4a5a5254a01aa4efe606a817de2

SHA512
f364968123b3ae024dfd3e54d73de2291dea514f6573aeb8241c54cff515a3e40b66b251a415d1daf1615eda25ecda2f864ebc4e008e5d78acddfa811b6cb3a9

Download Submit
memory/1388-144-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads