770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667

Analysis

max time kernel
190s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
Size

72KB
MD5

068d47f725561d5abe3f6a99598ab193
SHA1

852861715af3507fc36a6a32a0ab4951568f8aac
SHA256

770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667
SHA512

50bdebc512c41927c8aa5ae4786c68f804cca1a636a0424e39fe6471c36f907eebb0b64a8767cac03e003f82757e27958ede08f481c67ede5a2287051d816bc5
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf26:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPu

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1096	backup.exe
1616	backup.exe
1548	backup.exe
856	backup.exe
520	backup.exe
684	backup.exe
1116	data.exe
1752	backup.exe
1756	backup.exe
1336	backup.exe
1504	backup.exe
1576	backup.exe
552	backup.exe
952	backup.exe
480	backup.exe
1880	backup.exe
988	backup.exe
776	backup.exe
1560	backup.exe
884	backup.exe
768	data.exe
268	backup.exe
804	backup.exe
1600	backup.exe
1816	backup.exe
888	backup.exe
1372	backup.exe
768	backup.exe
268	backup.exe
804	backup.exe
1600	backup.exe
1816	backup.exe
888	System Restore.exe
1284	backup.exe
1300	backup.exe
1460	backup.exe
1084	backup.exe
2012	backup.exe
1176	backup.exe
1744	backup.exe
316	backup.exe
1252	backup.exe
1616	backup.exe
1428	backup.exe
1172	backup.exe
584	backup.exe
860	backup.exe
684	backup.exe
660	backup.exe
1464	backup.exe
1624	backup.exe
1280	backup.exe
1560	backup.exe
828	backup.exe
1756	System Restore.exe
648	backup.exe
1400	backup.exe
1716	backup.exe
1740	backup.exe
896	backup.exe
1656	backup.exe
1372	backup.exe
568	backup.exe
1284	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
1752	backup.exe
1752	backup.exe
1756	backup.exe
1756	backup.exe
1752	backup.exe
1752	backup.exe
1504	backup.exe
1504	backup.exe
1576	backup.exe
1576	backup.exe
1504	backup.exe
1504	backup.exe
952	backup.exe
952	backup.exe
480	backup.exe
480	backup.exe
480	backup.exe
480	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
1564	backup.exe
480	backup.exe
480	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	update.exe
File opened for modification	C:\Windows\update.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
1096	backup.exe
1616	backup.exe
1548	backup.exe
856	backup.exe
520	backup.exe
684	backup.exe
1116	data.exe
1752	backup.exe
1756	backup.exe
1336	backup.exe
1504	backup.exe
1576	backup.exe
552	backup.exe
952	backup.exe
480	backup.exe
1880	backup.exe
316	backup.exe
1520	backup.exe
1704	backup.exe
1528	backup.exe
1724	backup.exe
1172	backup.exe
856	backup.exe
1232	System Restore.exe
520	backup.exe
1928	update.exe
1464	update.exe
1564	backup.exe
776	backup.exe
1560	backup.exe
884	backup.exe
768	data.exe
268	backup.exe
804	backup.exe
1600	backup.exe
1816	backup.exe
888	backup.exe
552	backup.exe
1300	backup.exe
568	backup.exe
1148	backup.exe
1992	backup.exe
1844	backup.exe
832	backup.exe
1880	update.exe
948	backup.exe
1648	backup.exe
1616	data.exe
1728	backup.exe
1352	backup.exe
1412	backup.exe
284	backup.exe
860	backup.exe
992	backup.exe
672	backup.exe
1928	backup.exe
524	backup.exe
1624	data.exe
1732	System Restore.exe
300	update.exe
1872	backup.exe
1940	backup.exe
1372	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1096	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	28
PID 2028 wrote to memory of 1096	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	28
PID 2028 wrote to memory of 1096	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	28
PID 2028 wrote to memory of 1096	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	28
PID 2028 wrote to memory of 1616	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	29
PID 2028 wrote to memory of 1616	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	29
PID 2028 wrote to memory of 1616	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	29
PID 2028 wrote to memory of 1616	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	29
PID 2028 wrote to memory of 1548	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	30
PID 2028 wrote to memory of 1548	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	30
PID 2028 wrote to memory of 1548	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	30
PID 2028 wrote to memory of 1548	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	30
PID 2028 wrote to memory of 856	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	31
PID 2028 wrote to memory of 856	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	31
PID 2028 wrote to memory of 856	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	31
PID 2028 wrote to memory of 856	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	31
PID 2028 wrote to memory of 520	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	32
PID 2028 wrote to memory of 520	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	32
PID 2028 wrote to memory of 520	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	32
PID 2028 wrote to memory of 520	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	32
PID 2028 wrote to memory of 684	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	33
PID 2028 wrote to memory of 684	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	33
PID 2028 wrote to memory of 684	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	33
PID 2028 wrote to memory of 684	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	33
PID 2028 wrote to memory of 1116	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	34
PID 2028 wrote to memory of 1116	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	34
PID 2028 wrote to memory of 1116	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	34
PID 2028 wrote to memory of 1116	2028	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe	34
PID 1096 wrote to memory of 1752	1096	backup.exe	35
PID 1096 wrote to memory of 1752	1096	backup.exe	35
PID 1096 wrote to memory of 1752	1096	backup.exe	35
PID 1096 wrote to memory of 1752	1096	backup.exe	35
PID 1752 wrote to memory of 1756	1752	backup.exe	36
PID 1752 wrote to memory of 1756	1752	backup.exe	36
PID 1752 wrote to memory of 1756	1752	backup.exe	36
PID 1752 wrote to memory of 1756	1752	backup.exe	36
PID 1756 wrote to memory of 1336	1756	backup.exe	37
PID 1756 wrote to memory of 1336	1756	backup.exe	37
PID 1756 wrote to memory of 1336	1756	backup.exe	37
PID 1756 wrote to memory of 1336	1756	backup.exe	37
PID 1752 wrote to memory of 1504	1752	backup.exe	38
PID 1752 wrote to memory of 1504	1752	backup.exe	38
PID 1752 wrote to memory of 1504	1752	backup.exe	38
PID 1752 wrote to memory of 1504	1752	backup.exe	38
PID 1504 wrote to memory of 1576	1504	backup.exe	39
PID 1504 wrote to memory of 1576	1504	backup.exe	39
PID 1504 wrote to memory of 1576	1504	backup.exe	39
PID 1504 wrote to memory of 1576	1504	backup.exe	39
PID 1576 wrote to memory of 552	1576	backup.exe	40
PID 1576 wrote to memory of 552	1576	backup.exe	40
PID 1576 wrote to memory of 552	1576	backup.exe	40
PID 1576 wrote to memory of 552	1576	backup.exe	40
PID 1504 wrote to memory of 952	1504	backup.exe	41
PID 1504 wrote to memory of 952	1504	backup.exe	41
PID 1504 wrote to memory of 952	1504	backup.exe	41
PID 1504 wrote to memory of 952	1504	backup.exe	41
PID 952 wrote to memory of 480	952	backup.exe	42
PID 952 wrote to memory of 480	952	backup.exe	42
PID 952 wrote to memory of 480	952	backup.exe	42
PID 952 wrote to memory of 480	952	backup.exe	42
PID 480 wrote to memory of 1880	480	backup.exe	43
PID 480 wrote to memory of 1880	480	backup.exe	43
PID 480 wrote to memory of 1880	480	backup.exe	43
PID 480 wrote to memory of 1880	480	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe
"C:\Users\Admin\AppData\Local\Temp\770b91b68de89014729811889b4d62883f715ced4f49d3416330a031bc566667.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028
- C:\Users\Admin\AppData\Local\Temp\1386266715\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1386266715\backup.exe C:\Users\Admin\AppData\Local\Temp\1386266715\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1576
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:552
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:660
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:648
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1400
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1740
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:568
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1284
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1460
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:336
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2024
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:520
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1544
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1208
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1964
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2000
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:556
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:336
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:584
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1544
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1872
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:988
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1280
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1520
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1396
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:1844
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:860
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1928
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:292
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:328
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1400
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1368
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1644
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1832
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1688
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Disables RegEdit via registry modification
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:952
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        System policy modification
        
        PID:1644
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        System policy modification
        
        PID:316
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1192
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        System policy modification
        
        PID:1172
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        System policy modification
        
        PID:1336
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:836
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1508
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:576
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:480
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1576
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        System policy modification
        
        PID:1460
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1304
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1352
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1100
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1832
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Disables RegEdit via registry modification
        
        PID:432
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\System Restore.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1616
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1544
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1396
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:584
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1660
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:1760
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:608
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1232
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1812
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:292
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:316
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:828
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1380
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1648
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1192
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1208
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1736
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1728
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1748
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Drops file in Program Files directory
        
        PID:804
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1284
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1756
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:336
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1764
    - - C:\Program Files (x86)\Google\data.exe
        
        "C:\Program Files (x86)\Google\data.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1824
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1208
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1200
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1732
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:992
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:292
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1520
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1820
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1996
      - C:\Users\Admin\Links\update.exe
        
        C:\Users\Admin\Links\update.exe C:\Users\Admin\Links\
        6⤵
        
        PID:836
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:924
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1412
  - - C:\Windows\update.exe
      C:\Windows\update.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:1248
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1964
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:684
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b6f7e8b57405d0059c1fe189415fe79b

SHA1
457f6b6513fa4550e6adc5d6919c3f50e5569fd4

SHA256
ea308d5196f27a0315a7a5303e64a332650e450052d57a643f4a3966c5aea406

SHA512
7014328248a476364c4ef7b64a942a87e67d6eb5dec216fb753e25791490b60a334a41cc5d411594d51007913533208ed75eaf68587e1178aac797b6bd61743b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9fb98f4cfaeba097e5509970bdac8513

SHA1
fe60d25efa3059bee012224aca3bd63fe2582587

SHA256
c0256d336bb51a3d06cb1e216c6bb2cdf871988be4b83a8e5a0dbcc8830ae3d1

SHA512
e367e9249103cb95a5a821fe7c98ccbfedbca0c96faeab18e91c9dcc109c9d0c959971cb92c8ee5c6bdcc6433721521df51adbdb1d9690e233c079b33859f73d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9fb98f4cfaeba097e5509970bdac8513

SHA1
fe60d25efa3059bee012224aca3bd63fe2582587

SHA256
c0256d336bb51a3d06cb1e216c6bb2cdf871988be4b83a8e5a0dbcc8830ae3d1

SHA512
e367e9249103cb95a5a821fe7c98ccbfedbca0c96faeab18e91c9dcc109c9d0c959971cb92c8ee5c6bdcc6433721521df51adbdb1d9690e233c079b33859f73d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
28fc45bc3b94dbaf987c603f028d78fb

SHA1
d174b16e99349e3270c05cacd23c1b25f85ae824

SHA256
16926a3b3e5d3b5582dfb60d7e99e35c6a435536dfd6d4455c83f855ac887b49

SHA512
7c352d7e0fd6658fa9b4d1f60b51802d14f5297b1bc99a822ae67c46e602d78b721d61eb8a543698e65870467cb0b7f36784cc9b1de399ef95f7a3d7e8984b36

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
28fc45bc3b94dbaf987c603f028d78fb

SHA1
d174b16e99349e3270c05cacd23c1b25f85ae824

SHA256
16926a3b3e5d3b5582dfb60d7e99e35c6a435536dfd6d4455c83f855ac887b49

SHA512
7c352d7e0fd6658fa9b4d1f60b51802d14f5297b1bc99a822ae67c46e602d78b721d61eb8a543698e65870467cb0b7f36784cc9b1de399ef95f7a3d7e8984b36

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\1386266715\backup.exe

Filesize
72KB

MD5
c9d5bf666acd5c58d2a1f1fbe8b9a626

SHA1
3c4366aed4ad0508a44026763d5fb9dcfdfe4c55

SHA256
0b6f21a78151a4a6c5370f831a6c904619ff1b1254de108baee318e24d852a6a

SHA512
ba77e3549e81eec37cea3f4655dfa149022d0115c20eb581ccb5cab4dbaa0c471b5ff149c62e2df8e83189c7488fcb5f0c337c5021788fd25c5ca13b72a412f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1386266715\backup.exe

Filesize
72KB

MD5
c9d5bf666acd5c58d2a1f1fbe8b9a626

SHA1
3c4366aed4ad0508a44026763d5fb9dcfdfe4c55

SHA256
0b6f21a78151a4a6c5370f831a6c904619ff1b1254de108baee318e24d852a6a

SHA512
ba77e3549e81eec37cea3f4655dfa149022d0115c20eb581ccb5cab4dbaa0c471b5ff149c62e2df8e83189c7488fcb5f0c337c5021788fd25c5ca13b72a412f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
C:\backup.exe

Filesize
72KB

MD5
14f34e5b9aba88db05c9e298d4ec302b

SHA1
d5062f5bd8e37b93ac95d036766390e4839e0d0a

SHA256
8a40c5ed6c29b74a10a704726fe407bf3c452a2bff96fb1c7967e32f5aa5a9e6

SHA512
f675d6d6d08c81d9caa73a0b0ce20c963820241d0226c5b23ac6e297e21c91b658209eef97d7ed15417fb4f3c638ac052b3b3e85cba8176be40853bc17aceb85

Download Submit
C:\backup.exe

Filesize
72KB

MD5
14f34e5b9aba88db05c9e298d4ec302b

SHA1
d5062f5bd8e37b93ac95d036766390e4839e0d0a

SHA256
8a40c5ed6c29b74a10a704726fe407bf3c452a2bff96fb1c7967e32f5aa5a9e6

SHA512
f675d6d6d08c81d9caa73a0b0ce20c963820241d0226c5b23ac6e297e21c91b658209eef97d7ed15417fb4f3c638ac052b3b3e85cba8176be40853bc17aceb85

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b6f7e8b57405d0059c1fe189415fe79b

SHA1
457f6b6513fa4550e6adc5d6919c3f50e5569fd4

SHA256
ea308d5196f27a0315a7a5303e64a332650e450052d57a643f4a3966c5aea406

SHA512
7014328248a476364c4ef7b64a942a87e67d6eb5dec216fb753e25791490b60a334a41cc5d411594d51007913533208ed75eaf68587e1178aac797b6bd61743b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b6f7e8b57405d0059c1fe189415fe79b

SHA1
457f6b6513fa4550e6adc5d6919c3f50e5569fd4

SHA256
ea308d5196f27a0315a7a5303e64a332650e450052d57a643f4a3966c5aea406

SHA512
7014328248a476364c4ef7b64a942a87e67d6eb5dec216fb753e25791490b60a334a41cc5d411594d51007913533208ed75eaf68587e1178aac797b6bd61743b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
1e5125d9ece42562e914380582436a26

SHA1
0fb0894df63395a8a2f5493e5df5232d5e0080f9

SHA256
08d31dc34f9fb5e310f587c229f99bcd88193bec99aee93a43fcc03ccbae32b8

SHA512
5b668f1cd1d36a3b2ccb87c0744e75cacc390387668b0d0eaa3321c16d14e6dab232ff68d976c4b02275ac19d60664398e28533ca2a0cd6692bc6e123290d0e5

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9fb98f4cfaeba097e5509970bdac8513

SHA1
fe60d25efa3059bee012224aca3bd63fe2582587

SHA256
c0256d336bb51a3d06cb1e216c6bb2cdf871988be4b83a8e5a0dbcc8830ae3d1

SHA512
e367e9249103cb95a5a821fe7c98ccbfedbca0c96faeab18e91c9dcc109c9d0c959971cb92c8ee5c6bdcc6433721521df51adbdb1d9690e233c079b33859f73d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9fb98f4cfaeba097e5509970bdac8513

SHA1
fe60d25efa3059bee012224aca3bd63fe2582587

SHA256
c0256d336bb51a3d06cb1e216c6bb2cdf871988be4b83a8e5a0dbcc8830ae3d1

SHA512
e367e9249103cb95a5a821fe7c98ccbfedbca0c96faeab18e91c9dcc109c9d0c959971cb92c8ee5c6bdcc6433721521df51adbdb1d9690e233c079b33859f73d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
68525523294eeb0b9130c635015ae315

SHA1
8b6be1c16a88282046ede35cb7cdf54cabe14046

SHA256
3d7f59dff62ba4133a3d73fb980f4a72326b942542602c8fe67753bb9e2d9a61

SHA512
3dcb3abab37e4968f60fd3794bbb5b511777cd35a449c3b768290fb5bd6a41180cbef8d9afe97d214ee03f7567d1a719daa862582a0232751485bc966c142ad5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
3eb6fcbc4d21bb104e887caaa9a30b24

SHA1
d605bf5e8236d06db4af4fd50169c4efc88388e1

SHA256
06005e5b5889e8a473fed9d56f6e25f51a0358fc11f4d5e267fda6081426f11b

SHA512
fc20f85cb9837c3829cb73d1fe015f80598e9b6365f7003def26b3ab26392529d015a81146307915c485088844ca3d41f9d4b5f4736d5078d0ce430583f06d11

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
28fc45bc3b94dbaf987c603f028d78fb

SHA1
d174b16e99349e3270c05cacd23c1b25f85ae824

SHA256
16926a3b3e5d3b5582dfb60d7e99e35c6a435536dfd6d4455c83f855ac887b49

SHA512
7c352d7e0fd6658fa9b4d1f60b51802d14f5297b1bc99a822ae67c46e602d78b721d61eb8a543698e65870467cb0b7f36784cc9b1de399ef95f7a3d7e8984b36

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
28fc45bc3b94dbaf987c603f028d78fb

SHA1
d174b16e99349e3270c05cacd23c1b25f85ae824

SHA256
16926a3b3e5d3b5582dfb60d7e99e35c6a435536dfd6d4455c83f855ac887b49

SHA512
7c352d7e0fd6658fa9b4d1f60b51802d14f5297b1bc99a822ae67c46e602d78b721d61eb8a543698e65870467cb0b7f36784cc9b1de399ef95f7a3d7e8984b36

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
995368f22553d65a467ee82b66a2758c

SHA1
a0b985eb3668a36d5bac509562ac7a7f74c49f85

SHA256
21fd50f342d469a0a2643b19c366d56602804ea886de96c9582610e09e3d1f59

SHA512
e5453916b16b093b4b80eb938938c8aa7b49783d40ade8dae37b5ba2edae548caa8eacb14a26a69a597c457236d624f4441d16a1a3d25fb3958786ef8ce3d120

Download Submit
\Users\Admin\AppData\Local\Temp\1386266715\backup.exe

Filesize
72KB

MD5
c9d5bf666acd5c58d2a1f1fbe8b9a626

SHA1
3c4366aed4ad0508a44026763d5fb9dcfdfe4c55

SHA256
0b6f21a78151a4a6c5370f831a6c904619ff1b1254de108baee318e24d852a6a

SHA512
ba77e3549e81eec37cea3f4655dfa149022d0115c20eb581ccb5cab4dbaa0c471b5ff149c62e2df8e83189c7488fcb5f0c337c5021788fd25c5ca13b72a412f9

Download Submit
\Users\Admin\AppData\Local\Temp\1386266715\backup.exe

Filesize
72KB

MD5
c9d5bf666acd5c58d2a1f1fbe8b9a626

SHA1
3c4366aed4ad0508a44026763d5fb9dcfdfe4c55

SHA256
0b6f21a78151a4a6c5370f831a6c904619ff1b1254de108baee318e24d852a6a

SHA512
ba77e3549e81eec37cea3f4655dfa149022d0115c20eb581ccb5cab4dbaa0c471b5ff149c62e2df8e83189c7488fcb5f0c337c5021788fd25c5ca13b72a412f9

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
58ec10eacb2cb4448e77f1195f483edc

SHA1
e35a67463e367eeaebb04c8b37208cc2d158e0bf

SHA256
5d6fed075db8bacf74a6be87a6ab3f4994b16832d59cad3af38fd29bf2662269

SHA512
cdd4a26104e36db7b8d49d45a56dc667306e05ac40c474bc868fe0c22f3e7b0df57be8dad7c2d4b0d9abb839a9ccb09cdc6debb567cbcb50777afdcd9dc8fabb

Download Submit
memory/2028-148-0x00000000747D1000-0x00000000747D3000-memory.dmp

Filesize
8KB

Download
memory/2028-98-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads