cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574

Analysis

max time kernel
174s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
Size

72KB
MD5

08eb8c7e1b793fa1a22c4fe7912192ab
SHA1

b4a628e8057800b197310715fde70ee90c34f1b0
SHA256

cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574
SHA512

038edae49e5601137f344b623c8b378bf3bc091f9ecec36ad7eb0d733129783a8845002baa1f91570efd7c035b5ab520c44118066585eb8a572473ee797cdfee
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPhO:ieTce/U/hKYuKPY

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2044	backup.exe
1180	backup.exe
864	backup.exe
760	backup.exe
1504	System Restore.exe
792	backup.exe
1452	backup.exe
2024	backup.exe
2028	backup.exe
1948	backup.exe
1620	backup.exe
1236	backup.exe
328	update.exe
1768	backup.exe
1120	backup.exe
1516	backup.exe
1616	backup.exe
1584	backup.exe
1240	backup.exe
728	backup.exe
584	backup.exe
1916	backup.exe
760	backup.exe
772	backup.exe
552	backup.exe
520	backup.exe
1528	backup.exe
1868	backup.exe
1320	backup.exe
1368	backup.exe
1472	backup.exe
276	backup.exe
1948	backup.exe
1408	backup.exe
1688	backup.exe
1372	backup.exe
1900	backup.exe
1988	backup.exe
328	backup.exe
516	backup.exe
1144	System Restore.exe
1604	data.exe
844	backup.exe
2012	backup.exe
892	backup.exe
1280	backup.exe
460	backup.exe
852	backup.exe
664	backup.exe
1276	backup.exe
1208	backup.exe
1200	backup.exe
1268	backup.exe
1096	backup.exe
920	backup.exe
1536	backup.exe
928	backup.exe
1968	backup.exe
828	backup.exe
1596	backup.exe
1404	backup.exe
1496	backup.exe
1052	backup.exe
676	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2024	backup.exe
2024	backup.exe
2028	backup.exe
2028	backup.exe
2024	backup.exe
2024	backup.exe
1620	backup.exe
1620	backup.exe
1236	backup.exe
328	update.exe
328	update.exe
328	update.exe
1620	backup.exe
1620	backup.exe
1768	backup.exe
1768	backup.exe
1120	backup.exe
1120	backup.exe
1120	backup.exe
1120	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
2044	backup.exe
1180	backup.exe
864	backup.exe
760	backup.exe
1504	System Restore.exe
792	backup.exe
2024	backup.exe
1452	backup.exe
2028	backup.exe
1948	backup.exe
1620	backup.exe
1236	backup.exe
328	update.exe
1768	backup.exe
1120	backup.exe
1516	backup.exe
1616	backup.exe
1584	backup.exe
1240	backup.exe
728	backup.exe
584	backup.exe
1916	backup.exe
760	backup.exe
772	backup.exe
552	backup.exe
520	backup.exe
1528	backup.exe
1868	backup.exe
1320	backup.exe
1368	backup.exe
1472	backup.exe
276	backup.exe
1948	backup.exe
1408	backup.exe
1688	backup.exe
1372	backup.exe
1900	backup.exe
1988	backup.exe
328	backup.exe
516	backup.exe
1144	System Restore.exe
1604	data.exe
844	backup.exe
2012	backup.exe
892	backup.exe
1280	backup.exe
460	backup.exe
852	backup.exe
664	backup.exe
1276	backup.exe
1208	backup.exe
1200	backup.exe
1268	backup.exe
1096	backup.exe
920	backup.exe
1536	backup.exe
928	backup.exe
1968	backup.exe
828	backup.exe
1596	backup.exe
1404	backup.exe
1496	backup.exe
1052	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2044	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	28
PID 2040 wrote to memory of 2044	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	28
PID 2040 wrote to memory of 2044	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	28
PID 2040 wrote to memory of 2044	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	28
PID 2040 wrote to memory of 1180	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	29
PID 2040 wrote to memory of 1180	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	29
PID 2040 wrote to memory of 1180	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	29
PID 2040 wrote to memory of 1180	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	29
PID 2040 wrote to memory of 864	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	30
PID 2040 wrote to memory of 864	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	30
PID 2040 wrote to memory of 864	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	30
PID 2040 wrote to memory of 864	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	30
PID 2040 wrote to memory of 760	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	31
PID 2040 wrote to memory of 760	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	31
PID 2040 wrote to memory of 760	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	31
PID 2040 wrote to memory of 760	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	31
PID 2040 wrote to memory of 1504	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	32
PID 2040 wrote to memory of 1504	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	32
PID 2040 wrote to memory of 1504	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	32
PID 2040 wrote to memory of 1504	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	32
PID 2040 wrote to memory of 792	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	33
PID 2040 wrote to memory of 792	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	33
PID 2040 wrote to memory of 792	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	33
PID 2040 wrote to memory of 792	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	33
PID 2040 wrote to memory of 1452	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	34
PID 2040 wrote to memory of 1452	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	34
PID 2040 wrote to memory of 1452	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	34
PID 2040 wrote to memory of 1452	2040	cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe	34
PID 2044 wrote to memory of 2024	2044	backup.exe	35
PID 2044 wrote to memory of 2024	2044	backup.exe	35
PID 2044 wrote to memory of 2024	2044	backup.exe	35
PID 2044 wrote to memory of 2024	2044	backup.exe	35
PID 2024 wrote to memory of 2028	2024	backup.exe	36
PID 2024 wrote to memory of 2028	2024	backup.exe	36
PID 2024 wrote to memory of 2028	2024	backup.exe	36
PID 2024 wrote to memory of 2028	2024	backup.exe	36
PID 2028 wrote to memory of 1948	2028	backup.exe	37
PID 2028 wrote to memory of 1948	2028	backup.exe	37
PID 2028 wrote to memory of 1948	2028	backup.exe	37
PID 2028 wrote to memory of 1948	2028	backup.exe	37
PID 2024 wrote to memory of 1620	2024	backup.exe	38
PID 2024 wrote to memory of 1620	2024	backup.exe	38
PID 2024 wrote to memory of 1620	2024	backup.exe	38
PID 2024 wrote to memory of 1620	2024	backup.exe	38
PID 1620 wrote to memory of 1236	1620	backup.exe	39
PID 1620 wrote to memory of 1236	1620	backup.exe	39
PID 1620 wrote to memory of 1236	1620	backup.exe	39
PID 1620 wrote to memory of 1236	1620	backup.exe	39
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1236 wrote to memory of 328	1236	backup.exe	40
PID 1620 wrote to memory of 1768	1620	backup.exe	41
PID 1620 wrote to memory of 1768	1620	backup.exe	41
PID 1620 wrote to memory of 1768	1620	backup.exe	41
PID 1620 wrote to memory of 1768	1620	backup.exe	41
PID 1768 wrote to memory of 1120	1768	backup.exe	42
PID 1768 wrote to memory of 1120	1768	backup.exe	42
PID 1768 wrote to memory of 1120	1768	backup.exe	42
PID 1768 wrote to memory of 1120	1768	backup.exe	42
PID 1120 wrote to memory of 1516	1120	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe
"C:\Users\Admin\AppData\Local\Temp\cda985291eea89777dff321a69fe74e0901c0766e5c605a2ff887a70ae4cc574.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\568098849\backup.exe
  C:\Users\Admin\AppData\Local\Temp\568098849\backup.exe C:\Users\Admin\AppData\Local\Temp\568098849\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2044
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2028
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:328
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1236
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:620
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2000
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1276
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1448
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:1964
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1048
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2000
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:520
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1368
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1780
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1204
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:760
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1860
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1236
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1624
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:1240
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:996
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:948
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:928
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1352
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1808
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:1500
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1504
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:988
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1236
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:772
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1452
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:772
    - - C:\Program Files\Google\data.exe
        
        "C:\Program Files\Google\data.exe" C:\Program Files\Google\
        5⤵
        
        PID:1116
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1052
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1268
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1736
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1104
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        System policy modification
        
        PID:1432
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1452
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1900
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1492
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1452
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:760
      - C:\Program Files\Internet Explorer\images\update.exe
        
        "C:\Program Files\Internet Explorer\images\update.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1240
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1948
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1160
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1664
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1656
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        Drops file in Program Files directory
        
        PID:188
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\update.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:1592
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1496
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:556
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1916
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        System policy modification
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:852
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Drops file in Program Files directory
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1104
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1208
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Disables RegEdit via registry modification
        
        PID:576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1048
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        System policy modification
        
        PID:892
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:300
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        System policy modification
        
        PID:1144
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1872
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1544
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1488
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1676
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1792
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:1572
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1872
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1780
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1276
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Drops file in Program Files directory
        
        PID:1744
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1572
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:928
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:680
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:948
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2028
  - - C:\Users\update.exe
      C:\Users\update.exe C:\Users\
      4⤵
      PID:956
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:516
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1852
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
      - C:\Users\Admin\Documents\System Restore.exe
        
        "C:\Users\Admin\Documents\System Restore.exe" C:\Users\Admin\Documents\
        6⤵
        
        PID:1968
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:896
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:948
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1408
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:852
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1780
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1720
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:820
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        System policy modification
        
        PID:1408
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:520
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:824
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:864
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:792
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
37f9e69a3d895f42f03bd6e5af59c319

SHA1
90da8ddb95de55a9018524b32224455ffc0e4df5

SHA256
2f6fa2ea3542646d136303585689e7c46815bf924432d830c1a75f8ca4ebf25f

SHA512
7ee8b96c268b806ca0fe03e58fbb218dfdcf93de42dcc28a97b3e60d03b3f2ab179f9975df0702e73df7ed7aaabe2196d5a86cef4648a7a457410898ddecca47

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a908f230bdadb0bb4fd74ffed2a53c4d

SHA1
66a63b5e76dc5d27cdbea471c541baf29ff96266

SHA256
53f8e36337f314eea3e5b7cedf4127787e3f03b67e0591739c917ec20ccfed2b

SHA512
990b65eb2f2ea520e3f5290e1047075becc99a8d96182d6732e557a5eebc9f14081896e3cd7580164aff0337cf30e2234156a93a8457a63753df8589d17c06cc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a908f230bdadb0bb4fd74ffed2a53c4d

SHA1
66a63b5e76dc5d27cdbea471c541baf29ff96266

SHA256
53f8e36337f314eea3e5b7cedf4127787e3f03b67e0591739c917ec20ccfed2b

SHA512
990b65eb2f2ea520e3f5290e1047075becc99a8d96182d6732e557a5eebc9f14081896e3cd7580164aff0337cf30e2234156a93a8457a63753df8589d17c06cc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
285bae6cf1cf2409598db661e8fed332

SHA1
13eb2875dbc45ee9cc212dbdecb1cf19ab478268

SHA256
a4f76e365c88fadd3758758ced70c0dc46db4d395380ef46d3d0bed63ec37867

SHA512
3413d5a58a927e843472e4ec7f46074a94c1cfc5b6f6c2d8d5142753b1a0a31d6abd106b8fad2205a2afa9031c3ab46ac21711ae71844ab78bb28b4413b7d11e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
70406d3140cbf3e065c6ece390f1f620

SHA1
a90e521c217c2adbe7950111e3c9b2377fee80c3

SHA256
ad9eb8a9a829614028ca1353df97e96b7aa855ac37aff43a16cbc1df15df45a3

SHA512
76db1afd5673a0e915083cb975a97661fbe67f8464b267f8b8fa19281e84d35dbc8c825dd24b201c598e72757e98e09ae59b341adaf6bbe0fcefd23e6d0ccac7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
70406d3140cbf3e065c6ece390f1f620

SHA1
a90e521c217c2adbe7950111e3c9b2377fee80c3

SHA256
ad9eb8a9a829614028ca1353df97e96b7aa855ac37aff43a16cbc1df15df45a3

SHA512
76db1afd5673a0e915083cb975a97661fbe67f8464b267f8b8fa19281e84d35dbc8c825dd24b201c598e72757e98e09ae59b341adaf6bbe0fcefd23e6d0ccac7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
192b4cb8cc7d983f9f44a3409589676b

SHA1
c961140e92b8c8644e17b980d7396a5a8af284ec

SHA256
52dbcbfe73ecff5f4a6d82ac645c317621abd1df35b3234c377bd5b1e3f591ef

SHA512
dd130428a1806c75e9b258e2b894595d96253e051bd1a67b2418d720c9ed9bf140064b6806d89d3fa23f0c526a4ea4e6ffbfb13fa71abcbbdb03aea9e2894c46

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
192b4cb8cc7d983f9f44a3409589676b

SHA1
c961140e92b8c8644e17b980d7396a5a8af284ec

SHA256
52dbcbfe73ecff5f4a6d82ac645c317621abd1df35b3234c377bd5b1e3f591ef

SHA512
dd130428a1806c75e9b258e2b894595d96253e051bd1a67b2418d720c9ed9bf140064b6806d89d3fa23f0c526a4ea4e6ffbfb13fa71abcbbdb03aea9e2894c46

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
C:\Users\Admin\AppData\Local\Temp\568098849\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\568098849\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8e68f6f282a4e5e088946a7a194c3540

SHA1
1bf5aba9cca23931a6714ec0e0831689e94f4cb7

SHA256
5a71e82ffeb44551b4699f4e1f6a2175dd507ece65fdb191b95fd22c4ccd0723

SHA512
54324cebdfef433007e4de2e664a2f020eb17a85200f424eb918633db66b9388062d677e42e0cd8262220fee6dd19da85b4ae3fb8c24d849ff93e057883f0770

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8e68f6f282a4e5e088946a7a194c3540

SHA1
1bf5aba9cca23931a6714ec0e0831689e94f4cb7

SHA256
5a71e82ffeb44551b4699f4e1f6a2175dd507ece65fdb191b95fd22c4ccd0723

SHA512
54324cebdfef433007e4de2e664a2f020eb17a85200f424eb918633db66b9388062d677e42e0cd8262220fee6dd19da85b4ae3fb8c24d849ff93e057883f0770

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c8ac789a1a7b5475aaf0bc4df3139e2b

SHA1
73ecf5886047d0a2c59712675f07857e1db11fdc

SHA256
9d4b8088b4f38324a028d318fcbbcdce367da89d14886237b38664fa692e1f26

SHA512
72d0fed75a8d36112bca722f7bc53d779a7c4b9cb720f79a8daf90f07a8f26fe5a3d5b3ccc6d8bbade64efb575fc222c1345fb89204573bc89518460e019796b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
60b403c984fa2757c0a7be10203f6a91

SHA1
3bedee94495852561a9c011bbb7981242d8694a2

SHA256
f81733b20d8c3eada57f5d061f756d4a18c214fea60937311763c07f11c8ba5f

SHA512
28fb3a0650a1880ee21849bb95798d7f63cdc381fc421cc5e06aa143fdf6e9d3d4f3e9af2655995adf79cfab66bd54e601c5b43efb193d1cdbd98a808c6547c9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
37f9e69a3d895f42f03bd6e5af59c319

SHA1
90da8ddb95de55a9018524b32224455ffc0e4df5

SHA256
2f6fa2ea3542646d136303585689e7c46815bf924432d830c1a75f8ca4ebf25f

SHA512
7ee8b96c268b806ca0fe03e58fbb218dfdcf93de42dcc28a97b3e60d03b3f2ab179f9975df0702e73df7ed7aaabe2196d5a86cef4648a7a457410898ddecca47

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
37f9e69a3d895f42f03bd6e5af59c319

SHA1
90da8ddb95de55a9018524b32224455ffc0e4df5

SHA256
2f6fa2ea3542646d136303585689e7c46815bf924432d830c1a75f8ca4ebf25f

SHA512
7ee8b96c268b806ca0fe03e58fbb218dfdcf93de42dcc28a97b3e60d03b3f2ab179f9975df0702e73df7ed7aaabe2196d5a86cef4648a7a457410898ddecca47

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a908f230bdadb0bb4fd74ffed2a53c4d

SHA1
66a63b5e76dc5d27cdbea471c541baf29ff96266

SHA256
53f8e36337f314eea3e5b7cedf4127787e3f03b67e0591739c917ec20ccfed2b

SHA512
990b65eb2f2ea520e3f5290e1047075becc99a8d96182d6732e557a5eebc9f14081896e3cd7580164aff0337cf30e2234156a93a8457a63753df8589d17c06cc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a908f230bdadb0bb4fd74ffed2a53c4d

SHA1
66a63b5e76dc5d27cdbea471c541baf29ff96266

SHA256
53f8e36337f314eea3e5b7cedf4127787e3f03b67e0591739c917ec20ccfed2b

SHA512
990b65eb2f2ea520e3f5290e1047075becc99a8d96182d6732e557a5eebc9f14081896e3cd7580164aff0337cf30e2234156a93a8457a63753df8589d17c06cc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
285bae6cf1cf2409598db661e8fed332

SHA1
13eb2875dbc45ee9cc212dbdecb1cf19ab478268

SHA256
a4f76e365c88fadd3758758ced70c0dc46db4d395380ef46d3d0bed63ec37867

SHA512
3413d5a58a927e843472e4ec7f46074a94c1cfc5b6f6c2d8d5142753b1a0a31d6abd106b8fad2205a2afa9031c3ab46ac21711ae71844ab78bb28b4413b7d11e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
285bae6cf1cf2409598db661e8fed332

SHA1
13eb2875dbc45ee9cc212dbdecb1cf19ab478268

SHA256
a4f76e365c88fadd3758758ced70c0dc46db4d395380ef46d3d0bed63ec37867

SHA512
3413d5a58a927e843472e4ec7f46074a94c1cfc5b6f6c2d8d5142753b1a0a31d6abd106b8fad2205a2afa9031c3ab46ac21711ae71844ab78bb28b4413b7d11e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
70406d3140cbf3e065c6ece390f1f620

SHA1
a90e521c217c2adbe7950111e3c9b2377fee80c3

SHA256
ad9eb8a9a829614028ca1353df97e96b7aa855ac37aff43a16cbc1df15df45a3

SHA512
76db1afd5673a0e915083cb975a97661fbe67f8464b267f8b8fa19281e84d35dbc8c825dd24b201c598e72757e98e09ae59b341adaf6bbe0fcefd23e6d0ccac7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
70406d3140cbf3e065c6ece390f1f620

SHA1
a90e521c217c2adbe7950111e3c9b2377fee80c3

SHA256
ad9eb8a9a829614028ca1353df97e96b7aa855ac37aff43a16cbc1df15df45a3

SHA512
76db1afd5673a0e915083cb975a97661fbe67f8464b267f8b8fa19281e84d35dbc8c825dd24b201c598e72757e98e09ae59b341adaf6bbe0fcefd23e6d0ccac7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
285bae6cf1cf2409598db661e8fed332

SHA1
13eb2875dbc45ee9cc212dbdecb1cf19ab478268

SHA256
a4f76e365c88fadd3758758ced70c0dc46db4d395380ef46d3d0bed63ec37867

SHA512
3413d5a58a927e843472e4ec7f46074a94c1cfc5b6f6c2d8d5142753b1a0a31d6abd106b8fad2205a2afa9031c3ab46ac21711ae71844ab78bb28b4413b7d11e

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
192b4cb8cc7d983f9f44a3409589676b

SHA1
c961140e92b8c8644e17b980d7396a5a8af284ec

SHA256
52dbcbfe73ecff5f4a6d82ac645c317621abd1df35b3234c377bd5b1e3f591ef

SHA512
dd130428a1806c75e9b258e2b894595d96253e051bd1a67b2418d720c9ed9bf140064b6806d89d3fa23f0c526a4ea4e6ffbfb13fa71abcbbdb03aea9e2894c46

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
192b4cb8cc7d983f9f44a3409589676b

SHA1
c961140e92b8c8644e17b980d7396a5a8af284ec

SHA256
52dbcbfe73ecff5f4a6d82ac645c317621abd1df35b3234c377bd5b1e3f591ef

SHA512
dd130428a1806c75e9b258e2b894595d96253e051bd1a67b2418d720c9ed9bf140064b6806d89d3fa23f0c526a4ea4e6ffbfb13fa71abcbbdb03aea9e2894c46

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
50bfd54bfb432cf6d80af7e7c1dd46c9

SHA1
b70c25ed44106cd7fc4992749c86e50c1eef9bd3

SHA256
f513b941e994ad250e0ae4489bbb65c25b45fcf7ed648179aa1bc2643d43f55c

SHA512
9b0876157777f5a2465a4da702ff2c060211e9c2894dff3a83dadb8ba7594570b8c742d1e1f182559b7a9d5c1eb374e47e9a6a491832452ed605c28b7435301a

Download Submit
\Users\Admin\AppData\Local\Temp\568098849\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\568098849\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5b8fed8507379f2f027499b5f9a78416

SHA1
60c4bbb75c3046877b459ea0e9101ba24de18e6e

SHA256
2bb622f557001e4b0472400b697cb6d7e7609306f1d66cb4fc3b0466c05277b6

SHA512
410e952ed29fc1b49868be05dd4c194c1e62e1ea4ede6600a94e4ee71b5db5bcb69e72d3407fe804c9c2bc71cedc8b2cf6fc6ed8f31e6bdcde9647e54744c1c5

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
cdb2e7d60388f35164fa922a145141be

SHA1
0f6b20c92eb6a603ac8c55fb502d31bb1a9809ae

SHA256
4331c639c97535bf60f6d0cac07958eead651700efd888d3a4c3d30c4f826286

SHA512
8e07cec74d29e756a4e99decbfaa0da883244908267ef0178b2e7fa03742a86292249a71f215e10351cdd7d6f5345b65a000cf6d127cca6139fb58dd93192a27

Download Submit
memory/2040-104-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2040-119-0x0000000074EA1000-0x0000000074EA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads