d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9

Analysis

max time kernel
149s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
Size

72KB
MD5

024aede4c8df0e8901e034792b690f48
SHA1

e34c5df05db74cfb2bee5afaeb0ccb09cfcfb754
SHA256

d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9
SHA512

033e45e23fd5317eccadce92a634436a9cdbf725e9ce4b8fb21af95a460b1ef8414ddee658b0c9e335f0a7d5ca4233df2ecd78603857acaa1555ca2491ea13da
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2U:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPA

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1128	update.exe
1192	backup.exe
636	backup.exe
288	backup.exe
1484	backup.exe
964	backup.exe
1540	backup.exe
1644	backup.exe
328	backup.exe
808	backup.exe
1440	backup.exe
1224	backup.exe
1756	backup.exe
1736	backup.exe
784	backup.exe
1396	backup.exe
1724	backup.exe
1392	backup.exe
1816	backup.exe
608	backup.exe
480	backup.exe
748	backup.exe
1464	backup.exe
1596	backup.exe
816	backup.exe
1116	backup.exe
548	backup.exe
1680	backup.exe
1052	backup.exe
1752	update.exe
1076	backup.exe
1648	backup.exe
1200	backup.exe
1768	backup.exe
1308	backup.exe
996	backup.exe
1412	backup.exe
1328	backup.exe
1872	backup.exe
1492	update.exe
1772	backup.exe
1512	backup.exe
888	System Restore.exe
672	backup.exe
1820	backup.exe
844	backup.exe
1936	backup.exe
1456	backup.exe
2016	backup.exe
428	backup.exe
1832	data.exe
1196	backup.exe
1296	backup.exe
1972	backup.exe
1624	System Restore.exe
1352	backup.exe
108	backup.exe
1760	backup.exe
1876	backup.exe
996	backup.exe
1980	backup.exe
268	backup.exe
1192	backup.exe
1260	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1128	update.exe
1128	update.exe
1128	update.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
964	backup.exe
964	backup.exe
328	backup.exe
328	backup.exe
328	backup.exe
328	backup.exe
328	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
964	backup.exe
964	backup.exe
1440	backup.exe
1440	backup.exe
1440	backup.exe
1440	backup.exe
1440	backup.exe
1224	backup.exe
1224	backup.exe
1224	backup.exe
964	backup.exe
964	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1224	backup.exe
1224	backup.exe
1736	backup.exe
1736	backup.exe
784	backup.exe
784	backup.exe
784	backup.exe
1396	backup.exe
1396	backup.exe
1396	backup.exe
1440	backup.exe
1440	backup.exe
1396	backup.exe
1396	backup.exe
1724	backup.exe
1724	backup.exe
1724	backup.exe
1392	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\data.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
1128	update.exe
1192	backup.exe
636	backup.exe
288	backup.exe
1484	backup.exe
1540	backup.exe
964	backup.exe
1644	backup.exe
328	backup.exe
808	backup.exe
1440	backup.exe
1224	backup.exe
1756	backup.exe
1736	backup.exe
784	backup.exe
1396	backup.exe
1724	backup.exe
1392	backup.exe
1816	backup.exe
608	backup.exe
480	backup.exe
748	backup.exe
1464	backup.exe
1596	backup.exe
816	backup.exe
1116	backup.exe
548	backup.exe
1680	backup.exe
1752	update.exe
1052	backup.exe
1076	backup.exe
1648	backup.exe
1200	backup.exe
1768	backup.exe
1308	backup.exe
996	backup.exe
1412	backup.exe
1328	backup.exe
1872	backup.exe
1492	update.exe
1512	backup.exe
1772	backup.exe
888	System Restore.exe
672	backup.exe
1820	backup.exe
844	backup.exe
1936	backup.exe
1456	backup.exe
2016	backup.exe
428	backup.exe
1832	data.exe
1196	backup.exe
1296	backup.exe
1972	backup.exe
1624	System Restore.exe
1352	backup.exe
108	backup.exe
1760	backup.exe
1876	backup.exe
996	backup.exe
1980	backup.exe
268	backup.exe
1192	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1128	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	28
PID 1696 wrote to memory of 1192	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	29
PID 1696 wrote to memory of 1192	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	29
PID 1696 wrote to memory of 1192	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	29
PID 1696 wrote to memory of 1192	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	29
PID 1696 wrote to memory of 636	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	30
PID 1696 wrote to memory of 636	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	30
PID 1696 wrote to memory of 636	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	30
PID 1696 wrote to memory of 636	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	30
PID 1696 wrote to memory of 288	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	31
PID 1696 wrote to memory of 288	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	31
PID 1696 wrote to memory of 288	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	31
PID 1696 wrote to memory of 288	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	31
PID 1696 wrote to memory of 1484	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	32
PID 1696 wrote to memory of 1484	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	32
PID 1696 wrote to memory of 1484	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	32
PID 1696 wrote to memory of 1484	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	32
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1128 wrote to memory of 964	1128	update.exe	33
PID 1696 wrote to memory of 1540	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	34
PID 1696 wrote to memory of 1540	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	34
PID 1696 wrote to memory of 1540	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	34
PID 1696 wrote to memory of 1540	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	34
PID 1696 wrote to memory of 1644	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	35
PID 1696 wrote to memory of 1644	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	35
PID 1696 wrote to memory of 1644	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	35
PID 1696 wrote to memory of 1644	1696	d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe	35
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 964 wrote to memory of 328	964	backup.exe	36
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 328 wrote to memory of 808	328	backup.exe	37
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 964 wrote to memory of 1440	964	backup.exe	38
PID 1440 wrote to memory of 1224	1440	backup.exe	39
PID 1440 wrote to memory of 1224	1440	backup.exe	39
PID 1440 wrote to memory of 1224	1440	backup.exe	39
PID 1440 wrote to memory of 1224	1440	backup.exe	39
PID 1440 wrote to memory of 1224	1440	backup.exe	39

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe
"C:\Users\Admin\AppData\Local\Temp\d75ea40edd189fd7776fa076692983190401f05ac454da587735d532979403f9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\2311327147\update.exe
  C:\Users\Admin\AppData\Local\Temp\2311327147\update.exe C:\Users\Admin\AppData\Local\Temp\2311327147\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:964
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:328
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:808
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1440
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1224
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:784
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1392
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:384
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1080
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:784
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1448
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:800
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1656
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1200
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1988
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:328
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1348
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:1120
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:672
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1152
      - C:\Program Files\DVD Maker\fr-FR\data.exe
        
        "C:\Program Files\DVD Maker\fr-FR\data.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1720
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2016
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1224
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1460
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:520
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1448
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1672
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1984
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:268
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:684
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1088
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1756
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:992
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1604
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1876
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1512
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\update.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:808
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1260
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:528
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:608
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:552
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1716
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1548
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:968
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:672
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:996
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:480
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1600
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:744
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1724
  - - C:\Windows\data.exe
      C:\Windows\data.exe C:\Windows\
      4⤵
      PID:556
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:636
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:288
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
91f274d837a0f5d1d24103a7c7dc61ea

SHA1
ec634a431349aa2dcdacc65c30328ededf1a565b

SHA256
a7198a6fad9835173a4d72d715444c24955f457cd310a2163096508bcc966110

SHA512
2fcda6ac503c626043b3ebe84fa49cb5fe7ab9210154f96bd0883110f68b8320f3b1839ebb4cfe1f4ae0bc2f0e161d3f583545c71e730f989dd336694bcd2af9

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
C:\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f6e599cbfd67e53358e6419e5157f0d1

SHA1
7ce48d543dcb9d02503f091250189c116a570119

SHA256
d99864e939a55c85e046f52ab4151c4e9c5351341ee526b41d2ddaf6d5786b34

SHA512
725256c9caf122f3fd94776545eef739603638ed055b1a3f358f0f411ae99c565571d3d7d224b515df03fba3bc402570b29e3639081f5ce9a0f7e2d7c43df8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
fa2ad40d9b8f4317a804142d2505d4f4

SHA1
23ad7a338461b9507d5f132a6f7e1c95ba4f2846

SHA256
259cc9ea8e10332ab00344bc0907c84dfdc1fba7c0f9053b8b02cbbb825b7155

SHA512
64a4c6219a48de3ccad58947b095526c59ed206217dd5ae9e9254e304a34d5ced91c8f8fc4128ce51d9c1855c13390e325acda8a09a986ea4e6bde7beff32c9a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c47e9edbd7d0cb20af43b659869ae672

SHA1
c5907a57fecf20a7223ad78bb6d5b5662ad8760a

SHA256
5a689fa77057aa64155236eccbc7f98a24ebc7aa7dafee2903b1f5b41f9768e2

SHA512
03d13d58a69dc22d57afacd298ae7fc5d6d502a9dfb4da6728e77b4062f4009fac8e8f8e6156db9fb1727955b8a0d734062b1016aca2fb4ce6baaefb6832e247

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c47e9edbd7d0cb20af43b659869ae672

SHA1
c5907a57fecf20a7223ad78bb6d5b5662ad8760a

SHA256
5a689fa77057aa64155236eccbc7f98a24ebc7aa7dafee2903b1f5b41f9768e2

SHA512
03d13d58a69dc22d57afacd298ae7fc5d6d502a9dfb4da6728e77b4062f4009fac8e8f8e6156db9fb1727955b8a0d734062b1016aca2fb4ce6baaefb6832e247

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37205faaa2f981b1a19b3e8995d771fe

SHA1
bb23ce951465cc4cc1224411632f5c107abb6143

SHA256
f6e7ce4771404aec78df1d4c61016b9b58ee4fb35c66b056606d83e009cb4c89

SHA512
001b9df3c20ba919773399c3212ac6bae828d635f2fa179653850396d2fc34b3305dd50e04d55e2a3ec001f8fe3baf1f156a5c7fe775e620e964ef2097f6ee8d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
43e603d0bef606eee04303010721b91c

SHA1
171638310dbfbfa3248f5c4f85da5a943079a602

SHA256
234f5105d56d1eb7ba727a8875d602a6c597f4eed0f51b8d024859e4f10d6c34

SHA512
a3b2222c3fb85af11d45ac73fb62cfc7c0904fa4917bec7f3053b74b68487e34a4463f53f4317fedf675ff9738b1397842d81357d094f6952c1634e0de8d582e

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
91f274d837a0f5d1d24103a7c7dc61ea

SHA1
ec634a431349aa2dcdacc65c30328ededf1a565b

SHA256
a7198a6fad9835173a4d72d715444c24955f457cd310a2163096508bcc966110

SHA512
2fcda6ac503c626043b3ebe84fa49cb5fe7ab9210154f96bd0883110f68b8320f3b1839ebb4cfe1f4ae0bc2f0e161d3f583545c71e730f989dd336694bcd2af9

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
91f274d837a0f5d1d24103a7c7dc61ea

SHA1
ec634a431349aa2dcdacc65c30328ededf1a565b

SHA256
a7198a6fad9835173a4d72d715444c24955f457cd310a2163096508bcc966110

SHA512
2fcda6ac503c626043b3ebe84fa49cb5fe7ab9210154f96bd0883110f68b8320f3b1839ebb4cfe1f4ae0bc2f0e161d3f583545c71e730f989dd336694bcd2af9

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
7eac926b73d623a0d5b60d2bf373f4ee

SHA1
f193e6beb3e7861f65ca6cf04f67d7981f9a4aed

SHA256
ecc8edd1270cf21c02429f64a26106d3677b11097a9c277daae02b64897aa4da

SHA512
7f466a528901f23258919cf0a6398f8e48f0c9a86f9831de25b2d6e4ace5d3954f12b2b22600ca5fd274e3074a99902b0fd076d1b5b411e2b5b2310ef061214b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e726c3587a6c4a993faae13d9a722792

SHA1
7cd7c403c9aacc8b5a61de82f8dbc89e58522861

SHA256
973c5608a385abb5e3482bd94791d85a22c9f6f9d5f7ec1e33bb88b41d70c86b

SHA512
823014a3980cf3517f1bfc1b1b8c4347c99f7e871c841620a1aa7cd13984e2cdda6d76fc75c72d12959e54c57bfe384dd8303a90323e9acb6ede26e7182b2282

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6b41802a69b9c5bef3c3f9e680c1d177

SHA1
e8b2c8cf0763dec6df12713cd403667051b9e661

SHA256
51a73b94dc0fefe43ac91215f7db8361cbed49e42fbd1ffe1cd024deb70a38f1

SHA512
20d7b5149c6b4fa664a7a32e3920cd9217f8993a51b39d3ba34a9fb9dac0dc694d904bfa70faeeb7b90f9ef9c779c6dcc7091ed09c3ef7b00e2a67675a644346

Download Submit
\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\2311327147\update.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f6e599cbfd67e53358e6419e5157f0d1

SHA1
7ce48d543dcb9d02503f091250189c116a570119

SHA256
d99864e939a55c85e046f52ab4151c4e9c5351341ee526b41d2ddaf6d5786b34

SHA512
725256c9caf122f3fd94776545eef739603638ed055b1a3f358f0f411ae99c565571d3d7d224b515df03fba3bc402570b29e3639081f5ce9a0f7e2d7c43df8f2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f6e599cbfd67e53358e6419e5157f0d1

SHA1
7ce48d543dcb9d02503f091250189c116a570119

SHA256
d99864e939a55c85e046f52ab4151c4e9c5351341ee526b41d2ddaf6d5786b34

SHA512
725256c9caf122f3fd94776545eef739603638ed055b1a3f358f0f411ae99c565571d3d7d224b515df03fba3bc402570b29e3639081f5ce9a0f7e2d7c43df8f2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
457f99be149bc1e2268ddb91675ff32e

SHA1
44f6ac6a2a04ba3a3a12ac923c482e85a05814a9

SHA256
33a2d8882b74893dd5666922ee3ff52bc5282a1cd79efe5d29095046d777d28e

SHA512
7d1ae60a4d88bbfa8fe9c7cc2c5678a51739dbc605bad4a7d93097d45310e484f247817d82f52297f274e55c22802c61c6c53324bd81db1aa659068610187c63

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
fa2ad40d9b8f4317a804142d2505d4f4

SHA1
23ad7a338461b9507d5f132a6f7e1c95ba4f2846

SHA256
259cc9ea8e10332ab00344bc0907c84dfdc1fba7c0f9053b8b02cbbb825b7155

SHA512
64a4c6219a48de3ccad58947b095526c59ed206217dd5ae9e9254e304a34d5ced91c8f8fc4128ce51d9c1855c13390e325acda8a09a986ea4e6bde7beff32c9a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
fa2ad40d9b8f4317a804142d2505d4f4

SHA1
23ad7a338461b9507d5f132a6f7e1c95ba4f2846

SHA256
259cc9ea8e10332ab00344bc0907c84dfdc1fba7c0f9053b8b02cbbb825b7155

SHA512
64a4c6219a48de3ccad58947b095526c59ed206217dd5ae9e9254e304a34d5ced91c8f8fc4128ce51d9c1855c13390e325acda8a09a986ea4e6bde7beff32c9a

Download Submit
memory/1128-60-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1696-153-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads