129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
Size

72KB
MD5

017148214a572c66b2bd1305397cc920
SHA1

43a5b2dff57ffd0e19c102e3a79a7cecd3f0e061
SHA256

129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d
SHA512

8cba6762ff73d2c8bc15cdaa20c732b35d1c19e0812b8dd1965e06db1a2e2bea60114ee99d109c57ae7dcf8e6f0cb22feb7b68e74373a028f10c9ef59b789c80
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf28:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrQ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1208	backup.exe
936	backup.exe
920	backup.exe
1064	backup.exe
760	backup.exe
1708	backup.exe
1452	backup.exe
1720	backup.exe
1940	backup.exe
952	System Restore.exe
1236	backup.exe
924	backup.exe
748	backup.exe
752	backup.exe
1472	update.exe
368	backup.exe
1120	backup.exe
1332	backup.exe
1264	backup.exe
1772	backup.exe
288	backup.exe
1260	backup.exe
1820	backup.exe
1688	backup.exe
1868	backup.exe
992	backup.exe
1700	backup.exe
388	backup.exe
1884	backup.exe
436	backup.exe
948	backup.exe
1384	backup.exe
1676	backup.exe
820	backup.exe
980	backup.exe
668	backup.exe
1604	backup.exe
1528	backup.exe
1996	backup.exe
760	backup.exe
2028	backup.exe
1852	backup.exe
1468	data.exe
1980	backup.exe
1300	backup.exe
984	backup.exe
1736	backup.exe
780	backup.exe
592	data.exe
1340	backup.exe
396	System Restore.exe
1688	backup.exe
1276	backup.exe
1576	backup.exe
296	System Restore.exe
1448	backup.exe
1124	backup.exe
824	backup.exe
368	backup.exe
1336	backup.exe
700	backup.exe
812	backup.exe
1136	backup.exe
1532	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1720	backup.exe
1720	backup.exe
1940	backup.exe
1940	backup.exe
1720	backup.exe
1720	backup.exe
1236	backup.exe
1236	backup.exe
924	backup.exe
924	backup.exe
1236	backup.exe
1236	backup.exe
752	backup.exe
1472	update.exe
1472	update.exe
1472	update.exe
1472	update.exe
1472	update.exe
368	backup.exe
368	backup.exe
368	backup.exe
1472	update.exe
1472	update.exe
1120	backup.exe
1120	backup.exe
1120	backup.exe
1576	backup.exe
1576	backup.exe
1332	backup.exe
1332	backup.exe
1332	backup.exe
1576	backup.exe
1576	backup.exe
1264	backup.exe
1264	backup.exe
1264	backup.exe
1576	backup.exe
1576	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1576	backup.exe
1576	backup.exe
288	backup.exe
288	backup.exe
288	backup.exe
1576	backup.exe
1576	backup.exe
1260	backup.exe
1260	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	update.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
1208	backup.exe
936	backup.exe
920	backup.exe
1064	backup.exe
760	backup.exe
1708	backup.exe
1452	backup.exe
1720	backup.exe
1940	backup.exe
952	System Restore.exe
1236	backup.exe
924	backup.exe
748	backup.exe
752	backup.exe
1472	update.exe
368	backup.exe
980	backup.exe
1780	backup.exe
1116	backup.exe
1140	backup.exe
1532	backup.exe
332	backup.exe
760	backup.exe
2028	backup.exe
1092	backup.exe
1808	backup.exe
1512	backup.exe
1576	backup.exe
1332	backup.exe
1264	backup.exe
1772	backup.exe
288	backup.exe
1260	backup.exe
1820	backup.exe
1688	backup.exe
1868	backup.exe
992	backup.exe
1896	backup.exe
964	backup.exe
1432	backup.exe
1676	backup.exe
1712	backup.exe
544	backup.exe
1336	backup.exe
936	backup.exe
848	backup.exe
1528	backup.exe
1008	backup.exe
1272	backup.exe
1108	backup.exe
1708	backup.exe
1588	backup.exe
1504	backup.exe
1980	backup.exe
1992	backup.exe
1424	backup.exe
1580	backup.exe
1240	backup.exe
592	backup.exe
288	backup.exe
1684	backup.exe
1816	backup.exe
1700	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1208	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	27
PID 1380 wrote to memory of 1208	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	27
PID 1380 wrote to memory of 1208	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	27
PID 1380 wrote to memory of 1208	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	27
PID 1380 wrote to memory of 936	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	28
PID 1380 wrote to memory of 936	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	28
PID 1380 wrote to memory of 936	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	28
PID 1380 wrote to memory of 936	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	28
PID 1380 wrote to memory of 920	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	29
PID 1380 wrote to memory of 920	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	29
PID 1380 wrote to memory of 920	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	29
PID 1380 wrote to memory of 920	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	29
PID 1380 wrote to memory of 1064	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	30
PID 1380 wrote to memory of 1064	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	30
PID 1380 wrote to memory of 1064	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	30
PID 1380 wrote to memory of 1064	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	30
PID 1380 wrote to memory of 760	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	31
PID 1380 wrote to memory of 760	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	31
PID 1380 wrote to memory of 760	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	31
PID 1380 wrote to memory of 760	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	31
PID 1380 wrote to memory of 1708	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	32
PID 1380 wrote to memory of 1708	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	32
PID 1380 wrote to memory of 1708	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	32
PID 1380 wrote to memory of 1708	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	32
PID 1380 wrote to memory of 1452	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	33
PID 1380 wrote to memory of 1452	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	33
PID 1380 wrote to memory of 1452	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	33
PID 1380 wrote to memory of 1452	1380	129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe	33
PID 1208 wrote to memory of 1720	1208	backup.exe	34
PID 1208 wrote to memory of 1720	1208	backup.exe	34
PID 1208 wrote to memory of 1720	1208	backup.exe	34
PID 1208 wrote to memory of 1720	1208	backup.exe	34
PID 1720 wrote to memory of 1940	1720	backup.exe	35
PID 1720 wrote to memory of 1940	1720	backup.exe	35
PID 1720 wrote to memory of 1940	1720	backup.exe	35
PID 1720 wrote to memory of 1940	1720	backup.exe	35
PID 1940 wrote to memory of 952	1940	backup.exe	36
PID 1940 wrote to memory of 952	1940	backup.exe	36
PID 1940 wrote to memory of 952	1940	backup.exe	36
PID 1940 wrote to memory of 952	1940	backup.exe	36
PID 1720 wrote to memory of 1236	1720	backup.exe	37
PID 1720 wrote to memory of 1236	1720	backup.exe	37
PID 1720 wrote to memory of 1236	1720	backup.exe	37
PID 1720 wrote to memory of 1236	1720	backup.exe	37
PID 1236 wrote to memory of 924	1236	backup.exe	38
PID 1236 wrote to memory of 924	1236	backup.exe	38
PID 1236 wrote to memory of 924	1236	backup.exe	38
PID 1236 wrote to memory of 924	1236	backup.exe	38
PID 924 wrote to memory of 748	924	backup.exe	39
PID 924 wrote to memory of 748	924	backup.exe	39
PID 924 wrote to memory of 748	924	backup.exe	39
PID 924 wrote to memory of 748	924	backup.exe	39
PID 1236 wrote to memory of 752	1236	backup.exe	40
PID 1236 wrote to memory of 752	1236	backup.exe	40
PID 1236 wrote to memory of 752	1236	backup.exe	40
PID 1236 wrote to memory of 752	1236	backup.exe	40
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 752 wrote to memory of 1472	752	backup.exe	41
PID 1472 wrote to memory of 368	1472	update.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe
"C:\Users\Admin\AppData\Local\Temp\129c1b6308fe453f663d36d141cd3e3a8a36498d3a18f3f9f0eafa0bdcfac45d.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\3094396302\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3094396302\backup.exe C:\Users\Admin\AppData\Local\Temp\3094396302\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1940
    - - C:\PerfLogs\Admin\System Restore.exe
        
        "C:\PerfLogs\Admin\System Restore.exe" C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:752
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:388
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1448
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        System policy modification
        
        PID:1124
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:824
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:368
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:700
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1136
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:536
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:620
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1596
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:748
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:972
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1272
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1576
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:744
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1260
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1376
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:912
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1280
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1532
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1092
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1280
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
      - C:\Program Files\DVD Maker\fr-FR\System Restore.exe
        
        "C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1940
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1820
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1636
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1620
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1448
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1272
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1656
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:1708
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1036
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1908
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1672
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1820
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1328
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1180
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:1884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:1868
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1504
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:1108
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:960
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1928
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2004
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1036
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1588
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1440
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1804
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:848
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1684
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1712
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1528
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2008
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:852
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      System policy modification
      PID:1336
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        
        PID:812
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        System policy modification
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Drops file in Program Files directory
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Drops file in Program Files directory
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        System policy modification
        
        PID:296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1976
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1996
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:872
      - C:\Program Files (x86)\Common Files\Adobe AIR\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1180
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1980
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1376
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1964
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:936
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:288
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:752
      - C:\Program Files (x86)\Internet Explorer\en-US\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\update.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1780
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:880
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:924
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1464
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:888
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:276
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1852
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1540
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:980
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:984
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:808
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1556
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1424
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1676
      - C:\Users\Public\Pictures\System Restore.exe
        
        "C:\Users\Public\Pictures\System Restore.exe" C:\Users\Public\Pictures\
        6⤵
        
        PID:656
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:2028
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1680
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Disables RegEdit via registry modification
        
        PID:436
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:812
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1544
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:296
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1232
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:936
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:760
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
456877389df291570869d39f69d2383b

SHA1
7bf395a5638683fe1b71666c25412cf3a3f2aa5c

SHA256
ad83567d3a7ad5070d2c1b2b2aecd3509e2a5084a8f4b12015c8bc2aba587a32

SHA512
002b20a12ff90580b4c7be4892bede034355945d8305beb66659cd6b6b323e08bc07398a3446bf793155b5a3c136503ae517c4bdb3eb9ad12f8043be93566761

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\3094396302\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\3094396302\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c8edadfd0092145df6cfd8e19cacd9f0

SHA1
6689be5cbab89d05977a21845c3203a5c843e8c2

SHA256
6dccf47452bd4a6f42d26e01d410974e342d356d984fc0f2dc0162a2dff26d1e

SHA512
3e88df5a3e25bceafe992d137f893cab1bb14a1ae257be323e89a8c58fcb9fa4f677fe79379e40ac60120a629577c8b165340fd5b2310c2b2c1a998cfeb2ca50

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c8edadfd0092145df6cfd8e19cacd9f0

SHA1
6689be5cbab89d05977a21845c3203a5c843e8c2

SHA256
6dccf47452bd4a6f42d26e01d410974e342d356d984fc0f2dc0162a2dff26d1e

SHA512
3e88df5a3e25bceafe992d137f893cab1bb14a1ae257be323e89a8c58fcb9fa4f677fe79379e40ac60120a629577c8b165340fd5b2310c2b2c1a998cfeb2ca50

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
456877389df291570869d39f69d2383b

SHA1
7bf395a5638683fe1b71666c25412cf3a3f2aa5c

SHA256
ad83567d3a7ad5070d2c1b2b2aecd3509e2a5084a8f4b12015c8bc2aba587a32

SHA512
002b20a12ff90580b4c7be4892bede034355945d8305beb66659cd6b6b323e08bc07398a3446bf793155b5a3c136503ae517c4bdb3eb9ad12f8043be93566761

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
456877389df291570869d39f69d2383b

SHA1
7bf395a5638683fe1b71666c25412cf3a3f2aa5c

SHA256
ad83567d3a7ad5070d2c1b2b2aecd3509e2a5084a8f4b12015c8bc2aba587a32

SHA512
002b20a12ff90580b4c7be4892bede034355945d8305beb66659cd6b6b323e08bc07398a3446bf793155b5a3c136503ae517c4bdb3eb9ad12f8043be93566761

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
83e8d3363c602c53437b34a55202e494

SHA1
6a9f686b3f992d97019c6fdfee2ccbf6c3b2750f

SHA256
0d48ed791b307af9dc4e5d469512bedd2754e9fa93a356ce9ea3ff303e171c28

SHA512
15d015b3c53d5c26114c042f55a50535e7e6c5fdf97a461d05e5c408874570c6b2876e4ed7f5687cd8e2eee5233d2c2a43ae434adf3904ce81a709704323760a

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
3b95f01687b90f37665e5d1a653b1a16

SHA1
de62a32bcab66bf9fb6ef48f96dc6835ba1b181d

SHA256
090085f58c5f3447cf820f9c5d3bc536254e7f99b847e7f18321a8645120cf7a

SHA512
2e6a04bd51c80d3c03da17ecde64d9875f9dc8bd61a39583cd7bbfe1daf788ba828717fda39e3aed3ce9dfc959d9eb5cdf1de8de502dab051a76af3220c98d55

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8cc5f4010a13cf7eeae5e3a9d187a12f

SHA1
609dffff2b8cfed9cbe7f454eebd4360b20f0f4e

SHA256
db48592c457b9a13ebf122cadfef5983444d90e913115a3c26089275461d8c23

SHA512
99cd29a539b389bf23771a0dbd36b819f7bd2bd78e31a09eeafed3b0ec693ac242add9581a468ff31e8d97283c100c4ec25b03c087a15c3c8361ee1bc8174ef4

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
a6a82a808363b1df8c706f49eaeca0a0

SHA1
03dad2b2606a0b7b2c39e9a17379bc8dbef1443c

SHA256
b25e768c3d01b9da6178dc1f9d796e6c76c1c94f3b2b92e7d64da5a76c3f6138

SHA512
0791a181069fd5d7069566d248d81ec6df702d59663de8023b909f397e33abc91b2164aa3268c21eba1216aece3298556286da8dd3e910b9440ff1e21cc3bb46

Download Submit
\Users\Admin\AppData\Local\Temp\3094396302\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\3094396302\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d606fc87b17d42e208f56258c08db089

SHA1
d65cf6a1a78e5922455fef815c56250181326d20

SHA256
505677a1dcd3c966bebc5504ac1b8149b06ba30caa41369a18774b5f83f74817

SHA512
2f794a42488bd34b760ef09da0a799f643d5dcccb94d37c196fd6da2021076a37b3bf3a3b27904f257274d34dac70aecf5c6836f0c228a3831fda4abe1d8e450

Download Submit
memory/1380-98-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-105-0x0000000074221000-0x0000000074223000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads