7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d

Analysis

max time kernel
158s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
Size

72KB
MD5

0209e3d33be7fe1f8d85ce79f8503147
SHA1

b6cc75bebdb27a43879555674c7c6599b5083067
SHA256

7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d
SHA512

da2b709462621d44ed8d580a1d2112d9d97efe467be80414089a179d749a80339435ea8a14ca4bdd869d502c82597c20a68428dc5f574d4e739d7e33abe0320d
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2A:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr8

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1956	backup.exe
1700	backup.exe
1496	backup.exe
1720	backup.exe
360	backup.exe
340	backup.exe
520	backup.exe
972	backup.exe
1012	backup.exe
1004	backup.exe
812	update.exe
700	backup.exe
1324	backup.exe
1776	backup.exe
832	backup.exe
1572	backup.exe
1676	backup.exe
1812	backup.exe
1596	backup.exe
1464	backup.exe
848	backup.exe
1820	backup.exe
572	backup.exe
1372	backup.exe
1832	backup.exe
340	backup.exe
972	backup.exe
1536	data.exe
1796	backup.exe
1348	backup.exe
1304	backup.exe
1296	backup.exe
552	backup.exe
864	backup.exe
968	backup.exe
1116	backup.exe
1376	update.exe
1684	backup.exe
1512	update.exe
748	backup.exe
580	backup.exe
1648	backup.exe
1672	backup.exe
1696	backup.exe
1692	data.exe
592	backup.exe
588	backup.exe
1804	backup.exe
1368	backup.exe
604	backup.exe
908	backup.exe
1772	backup.exe
1356	backup.exe
1688	backup.exe
1612	backup.exe
916	backup.exe
1272	backup.exe
1328	backup.exe
772	backup.exe
276	backup.exe
1124	backup.exe
1116	backup.exe
968	backup.exe
1760	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1720	backup.exe
1720	backup.exe
340	backup.exe
340	backup.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1720	backup.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
812	update.exe
812	update.exe
812	update.exe
812	update.exe
812	update.exe
700	backup.exe
700	backup.exe
700	backup.exe
700	backup.exe
700	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
812	update.exe
812	update.exe
1776	backup.exe
1776	backup.exe
1776	backup.exe
1720	backup.exe
1720	backup.exe
1776	backup.exe
1776	backup.exe
832	backup.exe
832	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1812	backup.exe
1812	backup.exe
1812	backup.exe
1676	backup.exe
1676	backup.exe
1596	backup.exe
1596	backup.exe
1572	backup.exe
1572	backup.exe
848	backup.exe
848	backup.exe
848	backup.exe
1596	backup.exe
1596	backup.exe
1820	backup.exe
1820	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\update.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
1956	backup.exe
1700	backup.exe
1496	backup.exe
1720	backup.exe
340	backup.exe
360	backup.exe
520	backup.exe
972	backup.exe
1012	backup.exe
1004	backup.exe
812	update.exe
700	backup.exe
1324	backup.exe
1776	backup.exe
832	backup.exe
1572	backup.exe
1676	backup.exe
1812	backup.exe
1596	backup.exe
1464	backup.exe
848	backup.exe
1820	backup.exe
572	backup.exe
1372	backup.exe
1832	backup.exe
340	backup.exe
972	backup.exe
1536	data.exe
1796	backup.exe
1348	backup.exe
1304	backup.exe
1296	backup.exe
552	backup.exe
864	backup.exe
968	backup.exe
1116	backup.exe
1684	backup.exe
1376	update.exe
1512	update.exe
748	backup.exe
1648	backup.exe
1672	backup.exe
1696	backup.exe
1692	data.exe
592	backup.exe
588	backup.exe
1804	backup.exe
1368	backup.exe
604	backup.exe
908	backup.exe
1772	backup.exe
1356	backup.exe
1688	backup.exe
1272	backup.exe
916	backup.exe
1612	backup.exe
1328	backup.exe
1124	backup.exe
1760	backup.exe
1116	backup.exe
772	backup.exe
1788	backup.exe
868	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1956	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	27
PID 1264 wrote to memory of 1956	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	27
PID 1264 wrote to memory of 1956	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	27
PID 1264 wrote to memory of 1956	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	27
PID 1264 wrote to memory of 1700	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	28
PID 1264 wrote to memory of 1700	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	28
PID 1264 wrote to memory of 1700	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	28
PID 1264 wrote to memory of 1700	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	28
PID 1264 wrote to memory of 1496	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	29
PID 1264 wrote to memory of 1496	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	29
PID 1264 wrote to memory of 1496	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	29
PID 1264 wrote to memory of 1496	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	29
PID 1956 wrote to memory of 1720	1956	backup.exe	30
PID 1956 wrote to memory of 1720	1956	backup.exe	30
PID 1956 wrote to memory of 1720	1956	backup.exe	30
PID 1956 wrote to memory of 1720	1956	backup.exe	30
PID 1264 wrote to memory of 360	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	31
PID 1264 wrote to memory of 360	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	31
PID 1264 wrote to memory of 360	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	31
PID 1264 wrote to memory of 360	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	31
PID 1720 wrote to memory of 340	1720	backup.exe	32
PID 1720 wrote to memory of 340	1720	backup.exe	32
PID 1720 wrote to memory of 340	1720	backup.exe	32
PID 1720 wrote to memory of 340	1720	backup.exe	32
PID 340 wrote to memory of 520	340	backup.exe	33
PID 340 wrote to memory of 520	340	backup.exe	33
PID 340 wrote to memory of 520	340	backup.exe	33
PID 340 wrote to memory of 520	340	backup.exe	33
PID 1264 wrote to memory of 972	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	34
PID 1264 wrote to memory of 972	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	34
PID 1264 wrote to memory of 972	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	34
PID 1264 wrote to memory of 972	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	34
PID 1264 wrote to memory of 1012	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	36
PID 1264 wrote to memory of 1012	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	36
PID 1264 wrote to memory of 1012	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	36
PID 1264 wrote to memory of 1012	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	36
PID 1264 wrote to memory of 1004	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	37
PID 1264 wrote to memory of 1004	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	37
PID 1264 wrote to memory of 1004	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	37
PID 1264 wrote to memory of 1004	1264	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe	37
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 1720 wrote to memory of 812	1720	backup.exe	35
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 812 wrote to memory of 700	812	update.exe	38
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 700 wrote to memory of 1324	700	backup.exe	39
PID 812 wrote to memory of 1776	812	update.exe	40
PID 812 wrote to memory of 1776	812	update.exe	40
PID 812 wrote to memory of 1776	812	update.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe
"C:\Users\Admin\AppData\Local\Temp\7b86890e95394cfa68eabe358076c88aa819ccf4220b7cb95768f85cad1ddf0d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1264
- C:\Users\Admin\AppData\Local\Temp\2682006580\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2682006580\backup.exe C:\Users\Admin\AppData\Local\Temp\2682006580\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1720
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:340
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:812
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:700
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1776
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2436
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:428
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:664
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2216
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2400
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        
        PID:968
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2368
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        
        PID:276
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:864
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:552
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2008
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2180
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2320
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1932
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2016
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1744
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1844
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2280
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2444
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:1008
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1512
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1568
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2208
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2340
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2492
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:832
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2004
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2136
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:916
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1332
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1644
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1012
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:2056
      - C:\Program Files (x86)\Common Files\DESIGNER\data.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\data.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1456
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1652
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2200
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2376
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1092
    - - C:\Program Files (x86)\Microsoft Analysis Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1332
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1928
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2164
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2304
    - - C:\Program Files (x86)\Microsoft Synchronization Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\update.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2460
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:588
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1560
      - C:\Users\Admin\Documents\data.exe
        
        C:\Users\Admin\Documents\data.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:316
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1968
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:520
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2092
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2256
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2412
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1300
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:624
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:360
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:972
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
2bafc5b93ff00be4d019d499c0df7383

SHA1
9d12f7b16a918150e9d7158641f2d6db371dbc98

SHA256
7dfee34f26ec0a6c9526ba98c3323ee9b8797291b28a48c1b881611058aa83f2

SHA512
fee2a53259b0ab9cccc4d914b4ca9d847911f051b71e89e86f3e8df4bff76f49366f81fe12e33599b3e434ddc497bfeacfac8d92f9d74311a44f269031aa4383

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
92c18edc8060b8674272f465323b65cf

SHA1
f3694a4dab5169958f21dd299bda69b5f65526b4

SHA256
2a607e9c6778572d1b0785f656f4e59195cfe4abe49a5f32f155eec605b823e5

SHA512
b53d4cb1ed473eabb729768d17a563b3fbf9f4d89703ad31454c38be72cb8a609767ac19d08e8a50824be9a3126102ee1870b2dc430088d6424c38ec156eb232

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
92c18edc8060b8674272f465323b65cf

SHA1
f3694a4dab5169958f21dd299bda69b5f65526b4

SHA256
2a607e9c6778572d1b0785f656f4e59195cfe4abe49a5f32f155eec605b823e5

SHA512
b53d4cb1ed473eabb729768d17a563b3fbf9f4d89703ad31454c38be72cb8a609767ac19d08e8a50824be9a3126102ee1870b2dc430088d6424c38ec156eb232

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2682006580\backup.exe

Filesize
72KB

MD5
9307de7b3bad234364b9226fc6c08f02

SHA1
55745125f80e826623eeb12cb92da33820289593

SHA256
1bc91e2c1c11b62385a6cf274806ee6d73e653bc484b2b69c2c7311b4b504ce0

SHA512
f4e60078cda1da734980048156e3b842152a4c450fc1266412cbeb6d69f7363c576cf8ee900d60351e4964d92bb4be285335c2a979786c661ee50105743d5170

Download Submit
C:\Users\Admin\AppData\Local\Temp\2682006580\backup.exe

Filesize
72KB

MD5
9307de7b3bad234364b9226fc6c08f02

SHA1
55745125f80e826623eeb12cb92da33820289593

SHA256
1bc91e2c1c11b62385a6cf274806ee6d73e653bc484b2b69c2c7311b4b504ce0

SHA512
f4e60078cda1da734980048156e3b842152a4c450fc1266412cbeb6d69f7363c576cf8ee900d60351e4964d92bb4be285335c2a979786c661ee50105743d5170

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ac653b297a3e9d9b687cfaef258af3a9

SHA1
8b219b3de07788395a648bb3db1cc26d428f06e4

SHA256
90c913a60e2c40663b6b2a9290e6ffda6fe606f4eafbb957a83a80832a36b1b5

SHA512
a222844cb32d9c0d2d60bf26ba69eae19ab054a514900def686ed977a90fae4c15f45e5d8f757589d06ac27d6375d839bfe0b8591b49b175d87fd4eb75df5132

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6255d202bb40509bdfbf8949ef482952

SHA1
4c8da3e9ae09def167d3c82993218a34d261d39b

SHA256
f3271611783581d48e898ddf15e1b8c9f1424884c932872264871aa8faa6d213

SHA512
29125157a3a9fc5ed3b05b3c754a7794df6ec2e2d10480bfc1cec27138c917db2ff56190c1d39401f21ce6fd05d5b61ebd452dad4c38928ed7a2c1b529b7df70

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f4160961ceec5cfc0679d34baf2caf6c

SHA1
eeb1d576fc46e60e7bb566b058f6cc2d092789a8

SHA256
c6987f196ae39e89b08949df9dde10a44fbf771ae05416f2e8982ccade10eadd

SHA512
aaba843497c25aa820d96a6fce04513db7fa1c4ad685d48f540f315410582dce8a7ee2e3989965d5afff11e27c818633e910f8f32f58c3ec83abc552013ee9f8

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f4160961ceec5cfc0679d34baf2caf6c

SHA1
eeb1d576fc46e60e7bb566b058f6cc2d092789a8

SHA256
c6987f196ae39e89b08949df9dde10a44fbf771ae05416f2e8982ccade10eadd

SHA512
aaba843497c25aa820d96a6fce04513db7fa1c4ad685d48f540f315410582dce8a7ee2e3989965d5afff11e27c818633e910f8f32f58c3ec83abc552013ee9f8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
2bafc5b93ff00be4d019d499c0df7383

SHA1
9d12f7b16a918150e9d7158641f2d6db371dbc98

SHA256
7dfee34f26ec0a6c9526ba98c3323ee9b8797291b28a48c1b881611058aa83f2

SHA512
fee2a53259b0ab9cccc4d914b4ca9d847911f051b71e89e86f3e8df4bff76f49366f81fe12e33599b3e434ddc497bfeacfac8d92f9d74311a44f269031aa4383

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
2bafc5b93ff00be4d019d499c0df7383

SHA1
9d12f7b16a918150e9d7158641f2d6db371dbc98

SHA256
7dfee34f26ec0a6c9526ba98c3323ee9b8797291b28a48c1b881611058aa83f2

SHA512
fee2a53259b0ab9cccc4d914b4ca9d847911f051b71e89e86f3e8df4bff76f49366f81fe12e33599b3e434ddc497bfeacfac8d92f9d74311a44f269031aa4383

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
92c18edc8060b8674272f465323b65cf

SHA1
f3694a4dab5169958f21dd299bda69b5f65526b4

SHA256
2a607e9c6778572d1b0785f656f4e59195cfe4abe49a5f32f155eec605b823e5

SHA512
b53d4cb1ed473eabb729768d17a563b3fbf9f4d89703ad31454c38be72cb8a609767ac19d08e8a50824be9a3126102ee1870b2dc430088d6424c38ec156eb232

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
92c18edc8060b8674272f465323b65cf

SHA1
f3694a4dab5169958f21dd299bda69b5f65526b4

SHA256
2a607e9c6778572d1b0785f656f4e59195cfe4abe49a5f32f155eec605b823e5

SHA512
b53d4cb1ed473eabb729768d17a563b3fbf9f4d89703ad31454c38be72cb8a609767ac19d08e8a50824be9a3126102ee1870b2dc430088d6424c38ec156eb232

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
67f3101d5a118f21085a66e46b7d40e3

SHA1
689c7ab2d557f606abe18babbac7ff3b524c6643

SHA256
feee96031290a3c9248a9f55520570265adf10acf0b3494a7d450257a77aefed

SHA512
0105d8208dfb4ac00eaaa11be29f7fb08d63e355db57ff935663513c492d11efbe3377169d36530bfd77dbc4aa637b65303024a48618b79e54d5303266ccadcb

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
78945c2bd9ea2815bd3a12c135c06722

SHA1
6547e5f66d4bd3e50bfd7f22ce0cb44a523289c7

SHA256
d1563363d26c3d7eb6e13d6ec48651f6372131ab41eaafd146b177044cbb32cc

SHA512
af0113b9371e0a5e72473db4c9f845aa2c2118a4aa568edf56128d8ea8f84b1a3a211032dd0dd6f1eca6b64a3fef0d6ddc16fb0de3f2038374ded5f335abd0fc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bbf02e27d3e4d01cab30ea12b3474259

SHA1
9c6186fbfeba8cb569c0e4b46ae507f20b31eaf9

SHA256
227b88507b85b33a1f3d1d138f2dadeab23752f511cc3096e7633a379a5133b2

SHA512
0875b99fb23ef565c96377537a692f298158a7491323812dbd0dffd26528883931a311c11a0845c21044df614f66085ae1a59b0d1777744773c2abbf0e6aa8a7

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bbf02e27d3e4d01cab30ea12b3474259

SHA1
9c6186fbfeba8cb569c0e4b46ae507f20b31eaf9

SHA256
227b88507b85b33a1f3d1d138f2dadeab23752f511cc3096e7633a379a5133b2

SHA512
0875b99fb23ef565c96377537a692f298158a7491323812dbd0dffd26528883931a311c11a0845c21044df614f66085ae1a59b0d1777744773c2abbf0e6aa8a7

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9990a40c0a3d7e15424037e49cc281fd

SHA1
dd07479db715359ca7f587a8df87f852723a9fa7

SHA256
f90f75937771cbe5fbdfc05520fc502b8fbb7cfd03af1d71b1ba4456e5c09a04

SHA512
b68ce09061ec654d3e01d085511eb0c503cb985a390dd24ed2d000752d01255342bf48293c7143f0866dfffc9d5a3c39d5f24554429c367db4d1592b3578039c

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
235c010884fd5eadde13b1f0744b4255

SHA1
d05a66b3fe74c80db5aed7ed6563c2f3af1332d0

SHA256
f0a04aacea0f7b7339e2fb627d4383aaff520ea4897e593e64700b994a40285c

SHA512
16a462d04cfb68f3003e78aa3b0a78e2e1677dbdc6ca6d8ec4ac96946edeaf23cd9e4cce9bf6b42fbd2de6f9df96459c7432fedc3d743d5db7d2cdb2cc028ce7

Download Submit
\Users\Admin\AppData\Local\Temp\2682006580\backup.exe

Filesize
72KB

MD5
9307de7b3bad234364b9226fc6c08f02

SHA1
55745125f80e826623eeb12cb92da33820289593

SHA256
1bc91e2c1c11b62385a6cf274806ee6d73e653bc484b2b69c2c7311b4b504ce0

SHA512
f4e60078cda1da734980048156e3b842152a4c450fc1266412cbeb6d69f7363c576cf8ee900d60351e4964d92bb4be285335c2a979786c661ee50105743d5170

Download Submit
\Users\Admin\AppData\Local\Temp\2682006580\backup.exe

Filesize
72KB

MD5
9307de7b3bad234364b9226fc6c08f02

SHA1
55745125f80e826623eeb12cb92da33820289593

SHA256
1bc91e2c1c11b62385a6cf274806ee6d73e653bc484b2b69c2c7311b4b504ce0

SHA512
f4e60078cda1da734980048156e3b842152a4c450fc1266412cbeb6d69f7363c576cf8ee900d60351e4964d92bb4be285335c2a979786c661ee50105743d5170

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
150abe58268462a22edf8a448274e38b

SHA1
8f2775213bf125fa39bc6c8509be0c085376ae8b

SHA256
a57242235b50588c5bdd62ff8ca02422a1aeac8d8f9dfae06cbe374cf78bcd98

SHA512
515f803d31e6191723037d29f235bc36a9fcbdeb92cbed516c358be1990b49e4ecac4c918fe456d3d249af2ba09dcc26b0c543f60d981d6f86631c186f2cd6ec

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ac653b297a3e9d9b687cfaef258af3a9

SHA1
8b219b3de07788395a648bb3db1cc26d428f06e4

SHA256
90c913a60e2c40663b6b2a9290e6ffda6fe606f4eafbb957a83a80832a36b1b5

SHA512
a222844cb32d9c0d2d60bf26ba69eae19ab054a514900def686ed977a90fae4c15f45e5d8f757589d06ac27d6375d839bfe0b8591b49b175d87fd4eb75df5132

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ac653b297a3e9d9b687cfaef258af3a9

SHA1
8b219b3de07788395a648bb3db1cc26d428f06e4

SHA256
90c913a60e2c40663b6b2a9290e6ffda6fe606f4eafbb957a83a80832a36b1b5

SHA512
a222844cb32d9c0d2d60bf26ba69eae19ab054a514900def686ed977a90fae4c15f45e5d8f757589d06ac27d6375d839bfe0b8591b49b175d87fd4eb75df5132

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5bef2b4bd29d31074a0bd4afd6922062

SHA1
bfde384d17a6da80ca775c797cedcadcbe0a5129

SHA256
3f523a9aa43dbfca3de601c0e526f6f66d943cb35d7d7a5fed9a5b5f3c561281

SHA512
f3edc223de639a965b44a5d09307c73bb304e06e10ce029f96b4b5df997fcc49a984a4deeeca1433a2e20c4672e126ca870228768d38e7e7d1cecdc4c2d30b69

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6255d202bb40509bdfbf8949ef482952

SHA1
4c8da3e9ae09def167d3c82993218a34d261d39b

SHA256
f3271611783581d48e898ddf15e1b8c9f1424884c932872264871aa8faa6d213

SHA512
29125157a3a9fc5ed3b05b3c754a7794df6ec2e2d10480bfc1cec27138c917db2ff56190c1d39401f21ce6fd05d5b61ebd452dad4c38928ed7a2c1b529b7df70

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6255d202bb40509bdfbf8949ef482952

SHA1
4c8da3e9ae09def167d3c82993218a34d261d39b

SHA256
f3271611783581d48e898ddf15e1b8c9f1424884c932872264871aa8faa6d213

SHA512
29125157a3a9fc5ed3b05b3c754a7794df6ec2e2d10480bfc1cec27138c917db2ff56190c1d39401f21ce6fd05d5b61ebd452dad4c38928ed7a2c1b529b7df70

Download Submit
memory/276-322-0x0000000000000000-mapping.dmp

Download
memory/340-203-0x0000000000000000-mapping.dmp

Download
memory/340-86-0x0000000000000000-mapping.dmp

Download
memory/360-81-0x0000000000000000-mapping.dmp

Download
memory/520-95-0x0000000000000000-mapping.dmp

Download
memory/552-226-0x0000000000000000-mapping.dmp

Download
memory/572-194-0x0000000000000000-mapping.dmp

Download
memory/580-257-0x0000000000000000-mapping.dmp

Download
memory/588-278-0x0000000000000000-mapping.dmp

Download
memory/592-274-0x0000000000000000-mapping.dmp

Download
memory/604-289-0x0000000000000000-mapping.dmp

Download
memory/700-130-0x0000000000000000-mapping.dmp

Download
memory/748-253-0x0000000000000000-mapping.dmp

Download
memory/772-320-0x0000000000000000-mapping.dmp

Download
memory/812-119-0x0000000000000000-mapping.dmp

Download
memory/832-163-0x0000000000000000-mapping.dmp

Download
memory/848-187-0x0000000000000000-mapping.dmp

Download
memory/864-230-0x0000000000000000-mapping.dmp

Download
memory/908-293-0x0000000000000000-mapping.dmp

Download
memory/916-309-0x0000000000000000-mapping.dmp

Download
memory/968-235-0x0000000000000000-mapping.dmp

Download
memory/968-326-0x0000000000000000-mapping.dmp

Download
memory/972-101-0x0000000000000000-mapping.dmp

Download
memory/972-209-0x0000000000000000-mapping.dmp

Download
memory/1004-114-0x0000000000000000-mapping.dmp

Download
memory/1012-108-0x0000000000000000-mapping.dmp

Download
memory/1116-327-0x0000000000000000-mapping.dmp

Download
memory/1116-236-0x0000000000000000-mapping.dmp

Download
memory/1124-325-0x0000000000000000-mapping.dmp

Download
memory/1264-118-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1272-310-0x0000000000000000-mapping.dmp

Download
memory/1296-225-0x0000000000000000-mapping.dmp

Download
memory/1304-219-0x0000000000000000-mapping.dmp

Download
memory/1324-141-0x0000000000000000-mapping.dmp

Download
memory/1328-318-0x0000000000000000-mapping.dmp

Download
memory/1348-218-0x0000000000000000-mapping.dmp

Download
memory/1356-298-0x0000000000000000-mapping.dmp

Download
memory/1368-282-0x0000000000000000-mapping.dmp

Download
memory/1372-197-0x0000000000000000-mapping.dmp

Download
memory/1376-243-0x0000000000000000-mapping.dmp

Download
memory/1464-184-0x0000000000000000-mapping.dmp

Download
memory/1496-71-0x0000000000000000-mapping.dmp

Download
memory/1512-249-0x0000000000000000-mapping.dmp

Download
memory/1536-208-0x0000000000000000-mapping.dmp

Download
memory/1572-170-0x0000000000000000-mapping.dmp

Download
memory/1596-181-0x0000000000000000-mapping.dmp

Download
memory/1612-307-0x0000000000000000-mapping.dmp

Download
memory/1648-258-0x0000000000000000-mapping.dmp

Download
memory/1672-259-0x0000000000000000-mapping.dmp

Download
memory/1676-171-0x0000000000000000-mapping.dmp

Download
memory/1684-242-0x0000000000000000-mapping.dmp

Download
memory/1688-304-0x0000000000000000-mapping.dmp

Download
memory/1692-270-0x0000000000000000-mapping.dmp

Download
memory/1696-266-0x0000000000000000-mapping.dmp

Download
memory/1700-64-0x0000000000000000-mapping.dmp

Download
memory/1720-75-0x0000000000000000-mapping.dmp

Download
memory/1772-297-0x0000000000000000-mapping.dmp

Download
memory/1776-152-0x0000000000000000-mapping.dmp

Download
memory/1788-329-0x0000000000000000-mapping.dmp

Download
memory/1796-215-0x0000000000000000-mapping.dmp

Download
memory/1804-280-0x0000000000000000-mapping.dmp

Download
memory/1812-177-0x0000000000000000-mapping.dmp

Download
memory/1820-191-0x0000000000000000-mapping.dmp

Download
memory/1832-201-0x0000000000000000-mapping.dmp

Download
memory/1956-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads