129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3

Analysis

max time kernel
72s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
Size

72KB
MD5

a4dcd3ddfa420486ef8f5f3be8df9800
SHA1

8843ebf5000f0da76a0391656fb49df2b901eac3
SHA256

129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3
SHA512

53cf4a502f89a1ac149321ea7c6961ec224914f1d1dafb552c9328d4584153370f931469eb1814f0f1cd7573e544aa3e04248a2fac0bd09abae36613713bb7c5
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2K:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrG

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1628	backup.exe
1576	backup.exe
1528	backup.exe
1680	backup.exe
904	backup.exe
580	backup.exe
1404	backup.exe
540	backup.exe
1908	backup.exe
1036	backup.exe
972	backup.exe
1204	backup.exe
1532	backup.exe
1824	backup.exe
1648	backup.exe
2044	backup.exe
1356	backup.exe
1584	backup.exe
1620	backup.exe
1448	backup.exe
892	backup.exe
904	backup.exe
580	backup.exe
1520	backup.exe
1700	backup.exe
288	backup.exe
1692	backup.exe
1232	backup.exe
1524	backup.exe
1328	backup.exe
828	backup.exe
1908	backup.exe
1720	backup.exe
1540	backup.exe
1104	backup.exe
536	backup.exe
1532	backup.exe
1916	backup.exe
1644	backup.exe
1996	backup.exe
1636	backup.exe
1668	update.exe
1368	backup.exe
1252	backup.exe
1444	backup.exe
1664	backup.exe
1680	System Restore.exe
1184	data.exe
1884	backup.exe
268	backup.exe
608	backup.exe
1756	data.exe
1568	backup.exe
1588	backup.exe
768	backup.exe
1004	backup.exe
1328	backup.exe
828	data.exe
1908	backup.exe
1720	backup.exe
1540	backup.exe
1104	backup.exe
536	backup.exe
1532	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
540	backup.exe
540	backup.exe
1908	backup.exe
1908	backup.exe
540	backup.exe
540	backup.exe
972	backup.exe
972	backup.exe
1204	backup.exe
1204	backup.exe
972	backup.exe
972	backup.exe
1824	backup.exe
1824	backup.exe
1648	backup.exe
1648	backup.exe
1648	backup.exe
1648	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1356	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
1628	backup.exe
1576	backup.exe
1528	backup.exe
1680	backup.exe
904	backup.exe
580	backup.exe
1404	backup.exe
540	backup.exe
1908	backup.exe
1036	backup.exe
972	backup.exe
1204	backup.exe
1532	backup.exe
1824	backup.exe
1648	backup.exe
2044	backup.exe
1356	backup.exe
1584	backup.exe
1620	backup.exe
1448	backup.exe
892	backup.exe
904	backup.exe
580	backup.exe
1520	backup.exe
1700	backup.exe
288	backup.exe
1692	backup.exe
1232	backup.exe
1524	backup.exe
1328	backup.exe
828	backup.exe
1908	backup.exe
1720	backup.exe
1540	backup.exe
1104	backup.exe
536	backup.exe
1532	backup.exe
1916	backup.exe
1644	backup.exe
1996	backup.exe
1636	backup.exe
1668	update.exe
1368	backup.exe
1252	backup.exe
1444	backup.exe
1664	backup.exe
1680	System Restore.exe
1184	data.exe
1884	backup.exe
268	backup.exe
608	backup.exe
1756	data.exe
1568	backup.exe
1588	backup.exe
768	backup.exe
1004	backup.exe
1328	backup.exe
828	data.exe
1908	backup.exe
1720	backup.exe
1540	backup.exe
1104	backup.exe
536	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1628	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	28
PID 1224 wrote to memory of 1628	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	28
PID 1224 wrote to memory of 1628	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	28
PID 1224 wrote to memory of 1628	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	28
PID 1224 wrote to memory of 1576	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	29
PID 1224 wrote to memory of 1576	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	29
PID 1224 wrote to memory of 1576	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	29
PID 1224 wrote to memory of 1576	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	29
PID 1224 wrote to memory of 1528	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	30
PID 1224 wrote to memory of 1528	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	30
PID 1224 wrote to memory of 1528	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	30
PID 1224 wrote to memory of 1528	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	30
PID 1224 wrote to memory of 1680	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	31
PID 1224 wrote to memory of 1680	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	31
PID 1224 wrote to memory of 1680	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	31
PID 1224 wrote to memory of 1680	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	31
PID 1224 wrote to memory of 904	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	32
PID 1224 wrote to memory of 904	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	32
PID 1224 wrote to memory of 904	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	32
PID 1224 wrote to memory of 904	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	32
PID 1224 wrote to memory of 580	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	33
PID 1224 wrote to memory of 580	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	33
PID 1224 wrote to memory of 580	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	33
PID 1224 wrote to memory of 580	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	33
PID 1224 wrote to memory of 1404	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	34
PID 1224 wrote to memory of 1404	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	34
PID 1224 wrote to memory of 1404	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	34
PID 1224 wrote to memory of 1404	1224	129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe	34
PID 1628 wrote to memory of 540	1628	backup.exe	35
PID 1628 wrote to memory of 540	1628	backup.exe	35
PID 1628 wrote to memory of 540	1628	backup.exe	35
PID 1628 wrote to memory of 540	1628	backup.exe	35
PID 540 wrote to memory of 1908	540	backup.exe	36
PID 540 wrote to memory of 1908	540	backup.exe	36
PID 540 wrote to memory of 1908	540	backup.exe	36
PID 540 wrote to memory of 1908	540	backup.exe	36
PID 1908 wrote to memory of 1036	1908	backup.exe	37
PID 1908 wrote to memory of 1036	1908	backup.exe	37
PID 1908 wrote to memory of 1036	1908	backup.exe	37
PID 1908 wrote to memory of 1036	1908	backup.exe	37
PID 540 wrote to memory of 972	540	backup.exe	38
PID 540 wrote to memory of 972	540	backup.exe	38
PID 540 wrote to memory of 972	540	backup.exe	38
PID 540 wrote to memory of 972	540	backup.exe	38
PID 972 wrote to memory of 1204	972	backup.exe	39
PID 972 wrote to memory of 1204	972	backup.exe	39
PID 972 wrote to memory of 1204	972	backup.exe	39
PID 972 wrote to memory of 1204	972	backup.exe	39
PID 1204 wrote to memory of 1532	1204	backup.exe	40
PID 1204 wrote to memory of 1532	1204	backup.exe	40
PID 1204 wrote to memory of 1532	1204	backup.exe	40
PID 1204 wrote to memory of 1532	1204	backup.exe	40
PID 972 wrote to memory of 1824	972	backup.exe	41
PID 972 wrote to memory of 1824	972	backup.exe	41
PID 972 wrote to memory of 1824	972	backup.exe	41
PID 972 wrote to memory of 1824	972	backup.exe	41
PID 1824 wrote to memory of 1648	1824	backup.exe	42
PID 1824 wrote to memory of 1648	1824	backup.exe	42
PID 1824 wrote to memory of 1648	1824	backup.exe	42
PID 1824 wrote to memory of 1648	1824	backup.exe	42
PID 1648 wrote to memory of 2044	1648	backup.exe	43
PID 1648 wrote to memory of 2044	1648	backup.exe	43
PID 1648 wrote to memory of 2044	1648	backup.exe	43
PID 1648 wrote to memory of 2044	1648	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe
"C:\Users\Admin\AppData\Local\Temp\129d9a2412db812d0ba82a2ca24090894fd687606e4733f29c59e1a54f6d98f3.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\4160964006\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4160964006\backup.exe C:\Users\Admin\AppData\Local\Temp\4160964006\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1628
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1908
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1824
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1036
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1448
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1552
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:628
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:640
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\System\ado\update.exe
        
        "C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1560
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1828
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1912
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1680
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1524
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1908
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1424
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:484
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:892
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1620
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:1668
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:904
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:852
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:564
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:976
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1384
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1604
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1520
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1700
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1204
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1612
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1368
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:924
  - - C:\Program Files (x86)\data.exe
      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:1636
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        System policy modification
        
        PID:472
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1356
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1568
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:392
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1716
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1796
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1036
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2008
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:760
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1740
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1672
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:904
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
151864f4a7b4e14b22c763716f34aa23

SHA1
9d55f3626e76c79ee7814745ac35cfb947ab2d19

SHA256
6fe883772969f32a716a2a35f875f09973eb8779789b7c906a699358f6d2e97d

SHA512
360ffe5be77a7860764d307b4bdc6bbb78c433b620a190a04e22fc3567e217d0b9269ef90a88246af148311a4cf478aa7e85c9bdf75e1a5cd5e8436b1b3a6f1d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
94514fd41a102be30af5548b4e61b4e3

SHA1
e72cdcedbdb9d42702c434298ca2a0723da5fee0

SHA256
ef1d49a7d67f9f2cde481f997d23b0e66ffb418625d6af10b555c2187ac61f7f

SHA512
405e2d11a04e291b350529c27fca1b681c505a9a51d59f25a178e2427cba92662cfc449325d70c41de1cbf3789605bf94a2cd023b08f0bcab0f36d2fc64d1f81

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
94514fd41a102be30af5548b4e61b4e3

SHA1
e72cdcedbdb9d42702c434298ca2a0723da5fee0

SHA256
ef1d49a7d67f9f2cde481f997d23b0e66ffb418625d6af10b555c2187ac61f7f

SHA512
405e2d11a04e291b350529c27fca1b681c505a9a51d59f25a178e2427cba92662cfc449325d70c41de1cbf3789605bf94a2cd023b08f0bcab0f36d2fc64d1f81

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4160964006\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4160964006\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d8845216201911826963aee7d67b1609

SHA1
1130c967f2ce2df8eff0b38694e4e2773a8d6dd1

SHA256
f24550ebe6868c31390b1e29e4cf92b7ff261ccae2e872fcc7d0fbef00108dfc

SHA512
80c9d9cd48383cffe178087a201355ca65c00d19a46c9f9579f1c7aa366f26a045ecdaf3cf49a9fad15cd8dfef0e86fd92a8995cad8f3493834de6596411ed5d

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d8845216201911826963aee7d67b1609

SHA1
1130c967f2ce2df8eff0b38694e4e2773a8d6dd1

SHA256
f24550ebe6868c31390b1e29e4cf92b7ff261ccae2e872fcc7d0fbef00108dfc

SHA512
80c9d9cd48383cffe178087a201355ca65c00d19a46c9f9579f1c7aa366f26a045ecdaf3cf49a9fad15cd8dfef0e86fd92a8995cad8f3493834de6596411ed5d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
151864f4a7b4e14b22c763716f34aa23

SHA1
9d55f3626e76c79ee7814745ac35cfb947ab2d19

SHA256
6fe883772969f32a716a2a35f875f09973eb8779789b7c906a699358f6d2e97d

SHA512
360ffe5be77a7860764d307b4bdc6bbb78c433b620a190a04e22fc3567e217d0b9269ef90a88246af148311a4cf478aa7e85c9bdf75e1a5cd5e8436b1b3a6f1d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
151864f4a7b4e14b22c763716f34aa23

SHA1
9d55f3626e76c79ee7814745ac35cfb947ab2d19

SHA256
6fe883772969f32a716a2a35f875f09973eb8779789b7c906a699358f6d2e97d

SHA512
360ffe5be77a7860764d307b4bdc6bbb78c433b620a190a04e22fc3567e217d0b9269ef90a88246af148311a4cf478aa7e85c9bdf75e1a5cd5e8436b1b3a6f1d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
94514fd41a102be30af5548b4e61b4e3

SHA1
e72cdcedbdb9d42702c434298ca2a0723da5fee0

SHA256
ef1d49a7d67f9f2cde481f997d23b0e66ffb418625d6af10b555c2187ac61f7f

SHA512
405e2d11a04e291b350529c27fca1b681c505a9a51d59f25a178e2427cba92662cfc449325d70c41de1cbf3789605bf94a2cd023b08f0bcab0f36d2fc64d1f81

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
94514fd41a102be30af5548b4e61b4e3

SHA1
e72cdcedbdb9d42702c434298ca2a0723da5fee0

SHA256
ef1d49a7d67f9f2cde481f997d23b0e66ffb418625d6af10b555c2187ac61f7f

SHA512
405e2d11a04e291b350529c27fca1b681c505a9a51d59f25a178e2427cba92662cfc449325d70c41de1cbf3789605bf94a2cd023b08f0bcab0f36d2fc64d1f81

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb1e0ff1cfca39b0e464902da3ae60ca

SHA1
50cf498c66f044fdcb0ad17cfd3bbbd005ef4d1b

SHA256
07f16dd5834957459e12f85d9e45fbaead3b8927725af6c3a2ac1431d86508a7

SHA512
4ebcbda4aaf391334d8c19f2a74b534017a17f2a59c7bbc6e521840c903273f9e907a5dbe83e488c189581b6059b9a46a0dac0d488c60842df6c8679e63dc1eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
f49ff20319c12a7c09fa03eed666282d

SHA1
0e61cc09588d9565dea59a0d27c19a8983575a76

SHA256
304130fb2f2979354f2c2a977e82858f9f29701283ecb52e44de0ccd8af49d77

SHA512
7fd3e2a971b0cdbb960dc4224cc481613660f5cea1fa948a29ed53a9cb0348b4e88f3919e0470185461d5f5cff4426973739e05dda33417c64eeced06fa5d2fc

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6ef0e94c334420eb3aecf88f8263b282

SHA1
7862d74baffba6e6487a35223f329e530a6b0bca

SHA256
d2e2821bf349adc5f9843dbbfcb49defed4a050bfeb031962df21ca6dfacd67b

SHA512
a7655630307d332098c87b7bcff44e4be282dca9687742bdb44eabf96c36b4b38bd658523a59b2d70d6f18a85754e07564e5f0f614fb00782bf55eddf40629ae

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
41c929dd5a6f6b23c2b07b33cafa5768

SHA1
efb18885645067dab40a462ad0391e15c271a8b6

SHA256
46799c3b8a9b3b3a9b5d6436b03637bca7892aedbe15893304cca5a42069c734

SHA512
a342e492828ba400d47346013707a75fdf3d776d06c845185584889ad8ac8a99a99b0b9c49aea0d6c7a06d2242c2e6fc974cc419f93c05df8c92d5c624b43bb3

Download Submit
\Users\Admin\AppData\Local\Temp\4160964006\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\4160964006\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
88a1aa1d7c54ca5bdac4846a88d7340e

SHA1
4cc18cb034850682ad30e87274a67cbc38f9f28b

SHA256
d7548e58906af4681b993cc17786ef9b60a2b1bb83ff2133ee1020e3b1e551d7

SHA512
445a2ccb7028ea45774d01b1eedce704138e21a46d960001ead628d98b15e9dfc1693aa8ec17b5a2ab964507d1133417405a0d751edff6c8d575fb004d901efd

Download Submit
memory/1224-116-0x0000000074361000-0x0000000074363000-memory.dmp

Filesize
8KB

Download
memory/1224-98-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads