4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d

Analysis

max time kernel
41s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
Size

72KB
MD5

075d7cfa4b96326fe634cd0f405aee2e
SHA1

b7d47581f8af5f4bbae0b3876af1a1324929d20d
SHA256

4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d
SHA512

97b6b510e4a65ca6567e7ab2df09eff6c94d01a9c113ae3ce7806a2945f68a9421840bc32a773d4df6d560a7b2e8be94de03bd69e5f32305fe18e1a131f9629c
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPsC:ieTce/U/hKYuKP7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
932	backup.exe
1372	backup.exe
1008	backup.exe
556	backup.exe
1936	backup.exe
1672	backup.exe
652	backup.exe
1612	backup.exe
280	data.exe
2012	backup.exe
1888	backup.exe
812	backup.exe
1924	backup.exe
2000	backup.exe
2024	backup.exe
1728	backup.exe
1436	backup.exe
648	backup.exe
1088	backup.exe
628	backup.exe
1876	backup.exe
1556	backup.exe
1512	backup.exe
816	backup.exe
1672	backup.exe
1180	backup.exe
1396	backup.exe
1564	backup.exe
1708	backup.exe
288	backup.exe
2032	System Restore.exe
1700	backup.exe
2008	backup.exe
1764	backup.exe
1480	System Restore.exe
1184	backup.exe
1896	backup.exe
1464	backup.exe
812	backup.exe
880	backup.exe
1504	backup.exe
1096	backup.exe
1052	backup.exe
1956	update.exe
1264	backup.exe
1640	backup.exe
648	update.exe
564	backup.exe
552	backup.exe
856	backup.exe
1488	backup.exe
1936	backup.exe
800	backup.exe
1132	backup.exe
1524	System Restore.exe
1508	backup.exe
1920	backup.exe
1912	backup.exe
1452	System Restore.exe
1368	backup.exe
2036	backup.exe
1864	backup.exe
1988	data.exe
1952	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
1612	backup.exe
1612	backup.exe
280	data.exe
280	data.exe
1612	backup.exe
1612	backup.exe
1888	backup.exe
1888	backup.exe
812	backup.exe
812	backup.exe
1888	backup.exe
1888	backup.exe
2000	backup.exe
2000	backup.exe
2024	backup.exe
2024	backup.exe
2024	backup.exe
2024	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1436	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe
1708	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
932	backup.exe
1372	backup.exe
1008	backup.exe
556	backup.exe
1936	backup.exe
1672	backup.exe
652	backup.exe
1612	backup.exe
280	data.exe
2012	backup.exe
1888	backup.exe
812	backup.exe
1924	backup.exe
2000	backup.exe
2024	backup.exe
1728	backup.exe
1436	backup.exe
648	backup.exe
1088	backup.exe
628	backup.exe
1876	backup.exe
1556	backup.exe
1512	backup.exe
816	backup.exe
1672	backup.exe
1180	backup.exe
1396	backup.exe
1564	backup.exe
1708	backup.exe
288	backup.exe
2032	System Restore.exe
1700	backup.exe
2008	backup.exe
1764	backup.exe
1480	System Restore.exe
1184	backup.exe
1896	backup.exe
1464	backup.exe
812	backup.exe
880	backup.exe
1504	backup.exe
1096	backup.exe
1052	backup.exe
1264	backup.exe
1640	backup.exe
564	backup.exe
552	backup.exe
856	backup.exe
1488	backup.exe
1936	backup.exe
800	backup.exe
1132	backup.exe
1524	System Restore.exe
1508	backup.exe
1920	backup.exe
648	update.exe
1452	System Restore.exe
1956	update.exe
1912	backup.exe
1368	backup.exe
2036	backup.exe
1864	backup.exe
1732	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 932	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	27
PID 1744 wrote to memory of 932	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	27
PID 1744 wrote to memory of 932	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	27
PID 1744 wrote to memory of 932	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	27
PID 1744 wrote to memory of 1372	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	28
PID 1744 wrote to memory of 1372	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	28
PID 1744 wrote to memory of 1372	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	28
PID 1744 wrote to memory of 1372	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	28
PID 1744 wrote to memory of 1008	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	29
PID 1744 wrote to memory of 1008	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	29
PID 1744 wrote to memory of 1008	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	29
PID 1744 wrote to memory of 1008	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	29
PID 1744 wrote to memory of 556	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	30
PID 1744 wrote to memory of 556	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	30
PID 1744 wrote to memory of 556	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	30
PID 1744 wrote to memory of 556	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	30
PID 1744 wrote to memory of 1936	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	31
PID 1744 wrote to memory of 1936	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	31
PID 1744 wrote to memory of 1936	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	31
PID 1744 wrote to memory of 1936	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	31
PID 1744 wrote to memory of 1672	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	32
PID 1744 wrote to memory of 1672	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	32
PID 1744 wrote to memory of 1672	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	32
PID 1744 wrote to memory of 1672	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	32
PID 1744 wrote to memory of 652	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	33
PID 1744 wrote to memory of 652	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	33
PID 1744 wrote to memory of 652	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	33
PID 1744 wrote to memory of 652	1744	4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe	33
PID 932 wrote to memory of 1612	932	backup.exe	34
PID 932 wrote to memory of 1612	932	backup.exe	34
PID 932 wrote to memory of 1612	932	backup.exe	34
PID 932 wrote to memory of 1612	932	backup.exe	34
PID 1612 wrote to memory of 280	1612	backup.exe	35
PID 1612 wrote to memory of 280	1612	backup.exe	35
PID 1612 wrote to memory of 280	1612	backup.exe	35
PID 1612 wrote to memory of 280	1612	backup.exe	35
PID 280 wrote to memory of 2012	280	data.exe	36
PID 280 wrote to memory of 2012	280	data.exe	36
PID 280 wrote to memory of 2012	280	data.exe	36
PID 280 wrote to memory of 2012	280	data.exe	36
PID 1612 wrote to memory of 1888	1612	backup.exe	37
PID 1612 wrote to memory of 1888	1612	backup.exe	37
PID 1612 wrote to memory of 1888	1612	backup.exe	37
PID 1612 wrote to memory of 1888	1612	backup.exe	37
PID 1888 wrote to memory of 812	1888	backup.exe	38
PID 1888 wrote to memory of 812	1888	backup.exe	38
PID 1888 wrote to memory of 812	1888	backup.exe	38
PID 1888 wrote to memory of 812	1888	backup.exe	38
PID 812 wrote to memory of 1924	812	backup.exe	39
PID 812 wrote to memory of 1924	812	backup.exe	39
PID 812 wrote to memory of 1924	812	backup.exe	39
PID 812 wrote to memory of 1924	812	backup.exe	39
PID 1888 wrote to memory of 2000	1888	backup.exe	40
PID 1888 wrote to memory of 2000	1888	backup.exe	40
PID 1888 wrote to memory of 2000	1888	backup.exe	40
PID 1888 wrote to memory of 2000	1888	backup.exe	40
PID 2000 wrote to memory of 2024	2000	backup.exe	41
PID 2000 wrote to memory of 2024	2000	backup.exe	41
PID 2000 wrote to memory of 2024	2000	backup.exe	41
PID 2000 wrote to memory of 2024	2000	backup.exe	41
PID 2024 wrote to memory of 1728	2024	backup.exe	42
PID 2024 wrote to memory of 1728	2024	backup.exe	42
PID 2024 wrote to memory of 1728	2024	backup.exe	42
PID 2024 wrote to memory of 1728	2024	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe
"C:\Users\Admin\AppData\Local\Temp\4a916d46f50b111d5a3d4074b10f0dbf02ce488e3d97ec5d97238022f8524e4d.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\2716568361\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2716568361\backup.exe C:\Users\Admin\AppData\Local\Temp\2716568361\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1612
  - - C:\PerfLogs\data.exe
      C:\PerfLogs\data.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1888
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:812
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2000
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        System policy modification
        
        PID:720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:2436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:2516
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2180
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2140
      - C:\Program Files\Common Files\Services\update.exe
        
        "C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:648
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1676
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1256
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:1112
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:392
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:944
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:1720
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1512
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2008
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:716
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2028
        
        C:\Program Files\Common Files\System\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\es-ES\update.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:732
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:288
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2092
        
        C:\Program Files\Common Files\System\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ja-JP\data.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2232
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2396
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2480
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1640
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:552
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1508
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        
        PID:1988
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:888
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:612
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1144
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        System policy modification
        
        PID:1576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1480
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:880
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1492
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1520
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:460
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1904
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2116
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:2224
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2572
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:1184
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1488
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1060
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1952
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1204
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1100
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2052
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2164
      - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
        
        "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2344
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2444
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2524
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:1648
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:240
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2124
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2332
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2452
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2588
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1096
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Disables RegEdit via registry modification
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1352
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1604
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        
        PID:812
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:612
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1544
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:676
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1548
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:856
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1160
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1596
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2100
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2216
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2404
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1568
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2324
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2428
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2532
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1760
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1644
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2084
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2208
    - - C:\Program Files (x86)\Microsoft Sync Framework\update.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\update.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2372
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2488
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2564
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1896
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:936
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
      - C:\Users\Admin\Desktop\update.exe
        
        C:\Users\Admin\Desktop\update.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:280
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1548
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1480
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1876
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1700
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1672
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1452
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1552
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2152
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2308
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:800
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1752
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3507fe3c56bdfc4b2fe2354c80e0dcb7

SHA1
e18495bc1ae29a602a02478ceda0b36674bb7a05

SHA256
4456c0d8e0ceb04da99b86884730d575b96d2bca48d1abfeb66b9d264c4efaba

SHA512
569de1330b235160f86892d48fb60c3a9cdbbae194611184a4d1fec1e46c26b7e9c882a94f997aa678d909dc3982fe9140801d4bcfd533b0fc170c2121206baa

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
2a96b7f76f594ef669b576ed30be031b

SHA1
c8c5d7a52c5b180de6c30ff40e49671105e0ea46

SHA256
3f220ac0a635703739c90b24fa47c88fe33dfbf728b0a98ea2727f93931176a5

SHA512
2dc9e75d3ce2b4bcd8a97db5bd7e359dec9e2ceb0efd82be474aed88940ee4980f4e09aa5281a61b931203f466383676ec7244bc3a375f8e2725e9df0be02716

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
2a96b7f76f594ef669b576ed30be031b

SHA1
c8c5d7a52c5b180de6c30ff40e49671105e0ea46

SHA256
3f220ac0a635703739c90b24fa47c88fe33dfbf728b0a98ea2727f93931176a5

SHA512
2dc9e75d3ce2b4bcd8a97db5bd7e359dec9e2ceb0efd82be474aed88940ee4980f4e09aa5281a61b931203f466383676ec7244bc3a375f8e2725e9df0be02716

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d573d33dde65d4df83651a32ea82e7fa

SHA1
889103dd074e550639f4ddb77fcc3aded5dde308

SHA256
86fcf678e180b4153ecd79faf6ba9c43d81e8981b902117fca02a7146d224dfa

SHA512
e436cabf5f3c55efab80e38b983d6eaa41c766af7cfa27128ce88068f2ee2c476636bcf89f7f3ee3d6e41e4343715ee89e22dbe0580af6daf5205b551060382e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
474f19f0a901043236a0df528cab4d51

SHA1
7419aa80a32a6536e80b3813a3993bf3ec85693b

SHA256
8ad13e938c997965b43e177a5b294f4985e6a1ed785c38829d2ad3e3ad7ffe95

SHA512
0fabc8a709e0b5f209ba2d903158ea49cee13debd5c0ffe576301a28699b2b9131989677c4e907c295772692572a8fa7dbb10e98bbc5d5e5df382ff6b1ad1b38

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
474f19f0a901043236a0df528cab4d51

SHA1
7419aa80a32a6536e80b3813a3993bf3ec85693b

SHA256
8ad13e938c997965b43e177a5b294f4985e6a1ed785c38829d2ad3e3ad7ffe95

SHA512
0fabc8a709e0b5f209ba2d903158ea49cee13debd5c0ffe576301a28699b2b9131989677c4e907c295772692572a8fa7dbb10e98bbc5d5e5df382ff6b1ad1b38

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fe57fa44a58259a8a505051da7b27e01

SHA1
988b022dbf3845a9c3cf976acfb6d457e3c6b037

SHA256
9ad26442010d00b57e3630815bb7cfea2572b723485024683605c05b2d0e03c1

SHA512
ec750a66b3ba2ec7769f11d963b9a81706158f67f0c101d713faba0ad0776aee855c17e0f000147b2f645707ffbdde43025def44da7bbcbcd2307fb946401d57

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
54434ecae492540ef9036e8c602a422d

SHA1
5ff07e8b9fdacb0a5eb5cb633742eeb2e1f86634

SHA256
006e418eaca23354b53b47b166c6a5689233bce0dc2c066ddf3873fe95b4e844

SHA512
1adee167300e61ca7bd321adb96d70599560562f85cb5f6fa848e6880167ebf7dacd265449356992c78293267e3268717944f54bcc9ab5af21c54cb32ba90283

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
54434ecae492540ef9036e8c602a422d

SHA1
5ff07e8b9fdacb0a5eb5cb633742eeb2e1f86634

SHA256
006e418eaca23354b53b47b166c6a5689233bce0dc2c066ddf3873fe95b4e844

SHA512
1adee167300e61ca7bd321adb96d70599560562f85cb5f6fa848e6880167ebf7dacd265449356992c78293267e3268717944f54bcc9ab5af21c54cb32ba90283

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6c14cb2bf1cd308555fce32fa1325cad

SHA1
74b626b1daa9d3f8b5cb195b92a16fae40aa0944

SHA256
ac9986d325ecfa462854a9398f81592bbe33291d9ffa0ed3b705def83ed50c35

SHA512
bb51921550a3c2ab376421b9fabfc3560808b0ce1ec8043e3aacb9eeb6aaee6b152dbbcca61f4f0932f9d1d04ce41c2768ba2394e12f8593a90a74bc3d8d178a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6c14cb2bf1cd308555fce32fa1325cad

SHA1
74b626b1daa9d3f8b5cb195b92a16fae40aa0944

SHA256
ac9986d325ecfa462854a9398f81592bbe33291d9ffa0ed3b705def83ed50c35

SHA512
bb51921550a3c2ab376421b9fabfc3560808b0ce1ec8043e3aacb9eeb6aaee6b152dbbcca61f4f0932f9d1d04ce41c2768ba2394e12f8593a90a74bc3d8d178a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
21edf9e3053876440f9f19c29b43728b

SHA1
1d3783465907b4dc1d0091a2b84ddb5dddfe2b55

SHA256
337c144d506e4029e75a438db8a4436a85456c2a4583cbe9e03c1151ba27534b

SHA512
6c72606bba0ee09e3ee2ba36336ca5b7b01fd386841cc3dd13a0b9d2e9ccaa40d84d70018265307e2f4a874acfef2a36d002739e97d950801554c28c583aa781

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
21edf9e3053876440f9f19c29b43728b

SHA1
1d3783465907b4dc1d0091a2b84ddb5dddfe2b55

SHA256
337c144d506e4029e75a438db8a4436a85456c2a4583cbe9e03c1151ba27534b

SHA512
6c72606bba0ee09e3ee2ba36336ca5b7b01fd386841cc3dd13a0b9d2e9ccaa40d84d70018265307e2f4a874acfef2a36d002739e97d950801554c28c583aa781

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ec841b7fda0d9006008a680f04be8057

SHA1
3a97b5dc2b73e5f4e8dae3732a75b325d5b6ae26

SHA256
bdfe66e638516b0cbbc186b508df090f6fd948eb2a1b2704e5995b9265eeabbe

SHA512
157374993c2accc28cccd8d7134d5704914f8202447a747ce71b49b7d13f070afac2f2689af52712ecea994941522e2104ae639bad6b7470f2cd1b14e8b7762d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ec841b7fda0d9006008a680f04be8057

SHA1
3a97b5dc2b73e5f4e8dae3732a75b325d5b6ae26

SHA256
bdfe66e638516b0cbbc186b508df090f6fd948eb2a1b2704e5995b9265eeabbe

SHA512
157374993c2accc28cccd8d7134d5704914f8202447a747ce71b49b7d13f070afac2f2689af52712ecea994941522e2104ae639bad6b7470f2cd1b14e8b7762d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2716568361\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\2716568361\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c910822009ce5ff97864b4872e0ba7c4

SHA1
0b8cb56cbd22e20e2c3702c2b634e9c22bdcefc4

SHA256
d84df294ce260b5604a8402cdeda8f1b40ca41ebdbd590ccec486580fd43f70f

SHA512
d987eed37b78330cbc8f18fe33aee3e742242dc53a414099d5b3a3d15c69a2bab4aa94526e4c01e678e526d4d64fb339a887f9bc850b102669006ce6c80b133a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c910822009ce5ff97864b4872e0ba7c4

SHA1
0b8cb56cbd22e20e2c3702c2b634e9c22bdcefc4

SHA256
d84df294ce260b5604a8402cdeda8f1b40ca41ebdbd590ccec486580fd43f70f

SHA512
d987eed37b78330cbc8f18fe33aee3e742242dc53a414099d5b3a3d15c69a2bab4aa94526e4c01e678e526d4d64fb339a887f9bc850b102669006ce6c80b133a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3507fe3c56bdfc4b2fe2354c80e0dcb7

SHA1
e18495bc1ae29a602a02478ceda0b36674bb7a05

SHA256
4456c0d8e0ceb04da99b86884730d575b96d2bca48d1abfeb66b9d264c4efaba

SHA512
569de1330b235160f86892d48fb60c3a9cdbbae194611184a4d1fec1e46c26b7e9c882a94f997aa678d909dc3982fe9140801d4bcfd533b0fc170c2121206baa

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
3507fe3c56bdfc4b2fe2354c80e0dcb7

SHA1
e18495bc1ae29a602a02478ceda0b36674bb7a05

SHA256
4456c0d8e0ceb04da99b86884730d575b96d2bca48d1abfeb66b9d264c4efaba

SHA512
569de1330b235160f86892d48fb60c3a9cdbbae194611184a4d1fec1e46c26b7e9c882a94f997aa678d909dc3982fe9140801d4bcfd533b0fc170c2121206baa

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
2a96b7f76f594ef669b576ed30be031b

SHA1
c8c5d7a52c5b180de6c30ff40e49671105e0ea46

SHA256
3f220ac0a635703739c90b24fa47c88fe33dfbf728b0a98ea2727f93931176a5

SHA512
2dc9e75d3ce2b4bcd8a97db5bd7e359dec9e2ceb0efd82be474aed88940ee4980f4e09aa5281a61b931203f466383676ec7244bc3a375f8e2725e9df0be02716

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
2a96b7f76f594ef669b576ed30be031b

SHA1
c8c5d7a52c5b180de6c30ff40e49671105e0ea46

SHA256
3f220ac0a635703739c90b24fa47c88fe33dfbf728b0a98ea2727f93931176a5

SHA512
2dc9e75d3ce2b4bcd8a97db5bd7e359dec9e2ceb0efd82be474aed88940ee4980f4e09aa5281a61b931203f466383676ec7244bc3a375f8e2725e9df0be02716

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d573d33dde65d4df83651a32ea82e7fa

SHA1
889103dd074e550639f4ddb77fcc3aded5dde308

SHA256
86fcf678e180b4153ecd79faf6ba9c43d81e8981b902117fca02a7146d224dfa

SHA512
e436cabf5f3c55efab80e38b983d6eaa41c766af7cfa27128ce88068f2ee2c476636bcf89f7f3ee3d6e41e4343715ee89e22dbe0580af6daf5205b551060382e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d573d33dde65d4df83651a32ea82e7fa

SHA1
889103dd074e550639f4ddb77fcc3aded5dde308

SHA256
86fcf678e180b4153ecd79faf6ba9c43d81e8981b902117fca02a7146d224dfa

SHA512
e436cabf5f3c55efab80e38b983d6eaa41c766af7cfa27128ce88068f2ee2c476636bcf89f7f3ee3d6e41e4343715ee89e22dbe0580af6daf5205b551060382e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
474f19f0a901043236a0df528cab4d51

SHA1
7419aa80a32a6536e80b3813a3993bf3ec85693b

SHA256
8ad13e938c997965b43e177a5b294f4985e6a1ed785c38829d2ad3e3ad7ffe95

SHA512
0fabc8a709e0b5f209ba2d903158ea49cee13debd5c0ffe576301a28699b2b9131989677c4e907c295772692572a8fa7dbb10e98bbc5d5e5df382ff6b1ad1b38

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
474f19f0a901043236a0df528cab4d51

SHA1
7419aa80a32a6536e80b3813a3993bf3ec85693b

SHA256
8ad13e938c997965b43e177a5b294f4985e6a1ed785c38829d2ad3e3ad7ffe95

SHA512
0fabc8a709e0b5f209ba2d903158ea49cee13debd5c0ffe576301a28699b2b9131989677c4e907c295772692572a8fa7dbb10e98bbc5d5e5df382ff6b1ad1b38

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fe57fa44a58259a8a505051da7b27e01

SHA1
988b022dbf3845a9c3cf976acfb6d457e3c6b037

SHA256
9ad26442010d00b57e3630815bb7cfea2572b723485024683605c05b2d0e03c1

SHA512
ec750a66b3ba2ec7769f11d963b9a81706158f67f0c101d713faba0ad0776aee855c17e0f000147b2f645707ffbdde43025def44da7bbcbcd2307fb946401d57

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fe57fa44a58259a8a505051da7b27e01

SHA1
988b022dbf3845a9c3cf976acfb6d457e3c6b037

SHA256
9ad26442010d00b57e3630815bb7cfea2572b723485024683605c05b2d0e03c1

SHA512
ec750a66b3ba2ec7769f11d963b9a81706158f67f0c101d713faba0ad0776aee855c17e0f000147b2f645707ffbdde43025def44da7bbcbcd2307fb946401d57

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
54434ecae492540ef9036e8c602a422d

SHA1
5ff07e8b9fdacb0a5eb5cb633742eeb2e1f86634

SHA256
006e418eaca23354b53b47b166c6a5689233bce0dc2c066ddf3873fe95b4e844

SHA512
1adee167300e61ca7bd321adb96d70599560562f85cb5f6fa848e6880167ebf7dacd265449356992c78293267e3268717944f54bcc9ab5af21c54cb32ba90283

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
54434ecae492540ef9036e8c602a422d

SHA1
5ff07e8b9fdacb0a5eb5cb633742eeb2e1f86634

SHA256
006e418eaca23354b53b47b166c6a5689233bce0dc2c066ddf3873fe95b4e844

SHA512
1adee167300e61ca7bd321adb96d70599560562f85cb5f6fa848e6880167ebf7dacd265449356992c78293267e3268717944f54bcc9ab5af21c54cb32ba90283

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6c14cb2bf1cd308555fce32fa1325cad

SHA1
74b626b1daa9d3f8b5cb195b92a16fae40aa0944

SHA256
ac9986d325ecfa462854a9398f81592bbe33291d9ffa0ed3b705def83ed50c35

SHA512
bb51921550a3c2ab376421b9fabfc3560808b0ce1ec8043e3aacb9eeb6aaee6b152dbbcca61f4f0932f9d1d04ce41c2768ba2394e12f8593a90a74bc3d8d178a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6c14cb2bf1cd308555fce32fa1325cad

SHA1
74b626b1daa9d3f8b5cb195b92a16fae40aa0944

SHA256
ac9986d325ecfa462854a9398f81592bbe33291d9ffa0ed3b705def83ed50c35

SHA512
bb51921550a3c2ab376421b9fabfc3560808b0ce1ec8043e3aacb9eeb6aaee6b152dbbcca61f4f0932f9d1d04ce41c2768ba2394e12f8593a90a74bc3d8d178a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
082a8466c6b2f8639090af721dca4a36

SHA1
fafff5ca4590e799e081876464b83d970f32fda0

SHA256
6b25b97cbe060ab6eae0ebf2fefc11554ef103a3fdbc870928ee912a295e72ad

SHA512
d9669b85621cfa06bc48797df6c23ca377d3e3aaf2b76ebf1ca048a1290de5088638b6442910aa985d61e99ca101197708cce588514ef72ea39c707166d82bb8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
21edf9e3053876440f9f19c29b43728b

SHA1
1d3783465907b4dc1d0091a2b84ddb5dddfe2b55

SHA256
337c144d506e4029e75a438db8a4436a85456c2a4583cbe9e03c1151ba27534b

SHA512
6c72606bba0ee09e3ee2ba36336ca5b7b01fd386841cc3dd13a0b9d2e9ccaa40d84d70018265307e2f4a874acfef2a36d002739e97d950801554c28c583aa781

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
21edf9e3053876440f9f19c29b43728b

SHA1
1d3783465907b4dc1d0091a2b84ddb5dddfe2b55

SHA256
337c144d506e4029e75a438db8a4436a85456c2a4583cbe9e03c1151ba27534b

SHA512
6c72606bba0ee09e3ee2ba36336ca5b7b01fd386841cc3dd13a0b9d2e9ccaa40d84d70018265307e2f4a874acfef2a36d002739e97d950801554c28c583aa781

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ec841b7fda0d9006008a680f04be8057

SHA1
3a97b5dc2b73e5f4e8dae3732a75b325d5b6ae26

SHA256
bdfe66e638516b0cbbc186b508df090f6fd948eb2a1b2704e5995b9265eeabbe

SHA512
157374993c2accc28cccd8d7134d5704914f8202447a747ce71b49b7d13f070afac2f2689af52712ecea994941522e2104ae639bad6b7470f2cd1b14e8b7762d

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ec841b7fda0d9006008a680f04be8057

SHA1
3a97b5dc2b73e5f4e8dae3732a75b325d5b6ae26

SHA256
bdfe66e638516b0cbbc186b508df090f6fd948eb2a1b2704e5995b9265eeabbe

SHA512
157374993c2accc28cccd8d7134d5704914f8202447a747ce71b49b7d13f070afac2f2689af52712ecea994941522e2104ae639bad6b7470f2cd1b14e8b7762d

Download Submit
\Users\Admin\AppData\Local\Temp\2716568361\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\2716568361\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
0821bcb37a211c46279c14df6122ce5e

SHA1
65f2782d3088cf5582071724e68e8ea7b9d7f8d6

SHA256
7fb63cfbfa9117b1c53b741640c201cc58d3e38cc29862ec102efd20fd9ea39e

SHA512
2048841ceedd89f99da8d73dc8dcfea0d8366c3b7a8a37a479ccdc49de2f8273e59c1b05ab0f3b60f89c27cd5a20a93c78956236daabfbff1f7b93cc8fce1035

Download Submit
memory/280-107-0x0000000000000000-mapping.dmp

Download
memory/288-209-0x0000000000000000-mapping.dmp

Download
memory/552-260-0x0000000000000000-mapping.dmp

Download
memory/556-76-0x0000000000000000-mapping.dmp

Download
memory/564-259-0x0000000000000000-mapping.dmp

Download
memory/628-179-0x0000000000000000-mapping.dmp

Download
memory/648-258-0x0000000000000000-mapping.dmp

Download
memory/648-168-0x0000000000000000-mapping.dmp

Download
memory/652-94-0x0000000000000000-mapping.dmp

Download
memory/800-273-0x0000000000000000-mapping.dmp

Download
memory/812-236-0x0000000000000000-mapping.dmp

Download
memory/812-128-0x0000000000000000-mapping.dmp

Download
memory/816-191-0x0000000000000000-mapping.dmp

Download
memory/856-263-0x0000000000000000-mapping.dmp

Download
memory/880-239-0x0000000000000000-mapping.dmp

Download
memory/932-58-0x0000000000000000-mapping.dmp

Download
memory/1008-70-0x0000000000000000-mapping.dmp

Download
memory/1052-248-0x0000000000000000-mapping.dmp

Download
memory/1088-174-0x0000000000000000-mapping.dmp

Download
memory/1096-245-0x0000000000000000-mapping.dmp

Download
memory/1132-278-0x0000000000000000-mapping.dmp

Download
memory/1180-197-0x0000000000000000-mapping.dmp

Download
memory/1184-227-0x0000000000000000-mapping.dmp

Download
memory/1264-252-0x0000000000000000-mapping.dmp

Download
memory/1368-298-0x0000000000000000-mapping.dmp

Download
memory/1372-64-0x0000000000000000-mapping.dmp

Download
memory/1396-200-0x0000000000000000-mapping.dmp

Download
memory/1436-161-0x0000000000000000-mapping.dmp

Download
memory/1452-290-0x0000000000000000-mapping.dmp

Download
memory/1464-233-0x0000000000000000-mapping.dmp

Download
memory/1480-224-0x0000000000000000-mapping.dmp

Download
memory/1488-270-0x0000000000000000-mapping.dmp

Download
memory/1504-242-0x0000000000000000-mapping.dmp

Download
memory/1508-283-0x0000000000000000-mapping.dmp

Download
memory/1512-188-0x0000000000000000-mapping.dmp

Download
memory/1524-282-0x0000000000000000-mapping.dmp

Download
memory/1556-185-0x0000000000000000-mapping.dmp

Download
memory/1564-203-0x0000000000000000-mapping.dmp

Download
memory/1612-100-0x0000000000000000-mapping.dmp

Download
memory/1640-254-0x0000000000000000-mapping.dmp

Download
memory/1672-194-0x0000000000000000-mapping.dmp

Download
memory/1672-88-0x0000000000000000-mapping.dmp

Download
memory/1700-215-0x0000000000000000-mapping.dmp

Download
memory/1708-206-0x0000000000000000-mapping.dmp

Download
memory/1728-155-0x0000000000000000-mapping.dmp

Download
memory/1732-307-0x0000000000000000-mapping.dmp

Download
memory/1744-98-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1744-110-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download
memory/1764-221-0x0000000000000000-mapping.dmp

Download
memory/1876-182-0x0000000000000000-mapping.dmp

Download
memory/1888-121-0x0000000000000000-mapping.dmp

Download
memory/1896-230-0x0000000000000000-mapping.dmp

Download
memory/1912-292-0x0000000000000000-mapping.dmp

Download
memory/1920-288-0x0000000000000000-mapping.dmp

Download
memory/1924-135-0x0000000000000000-mapping.dmp

Download
memory/1936-271-0x0000000000000000-mapping.dmp

Download
memory/1936-82-0x0000000000000000-mapping.dmp

Download
memory/1952-309-0x0000000000000000-mapping.dmp

Download
memory/1956-251-0x0000000000000000-mapping.dmp

Download
memory/1988-308-0x0000000000000000-mapping.dmp

Download
memory/2000-141-0x0000000000000000-mapping.dmp

Download
memory/2008-218-0x0000000000000000-mapping.dmp

Download
memory/2012-115-0x0000000000000000-mapping.dmp

Download
memory/2024-148-0x0000000000000000-mapping.dmp

Download
memory/2032-212-0x0000000000000000-mapping.dmp

Download
memory/2036-304-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads