3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7

Analysis

max time kernel
71s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
Size

72KB
MD5

235db36f9e1844876ff02ef2833aadd0
SHA1

686b37c2e9bf38433cf9fad5b5d0db3191cf8dd7
SHA256

3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7
SHA512

66afd637bd20b5eae5e30aff33665d110d63081e5655ca0396b4bd105498eb9ab93550a45258ccc8fc27670ff75591d2be173816c4c409e740b1d5921f0ba776
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2m:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrq

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
808	backup.exe
964	backup.exe
1552	backup.exe
1720	backup.exe
1968	backup.exe
588	backup.exe
1164	backup.exe
1740	backup.exe
608	backup.exe
1916	backup.exe
672	System Restore.exe
1536	backup.exe
1496	backup.exe
2036	backup.exe
544	backup.exe
1144	backup.exe
940	backup.exe
980	backup.exe
1448	backup.exe
1376	backup.exe
1140	backup.exe
1120	backup.exe
1968	update.exe
588	update.exe
592	backup.exe
1224	System Restore.exe
1612	backup.exe
1580	backup.exe
1196	backup.exe
568	backup.exe
560	backup.exe
1760	backup.exe
1920	backup.exe
268	backup.exe
2004	backup.exe
1468	backup.exe
1904	backup.exe
1072	backup.exe
2012	backup.exe
1972	backup.exe
1112	backup.exe
840	backup.exe
1152	backup.exe
1764	backup.exe
1292	backup.exe
904	update.exe
1088	backup.exe
836	backup.exe
960	backup.exe
968	backup.exe
1688	backup.exe
1728	backup.exe
588	backup.exe
1692	backup.exe
1708	backup.exe
1704	data.exe
1580	update.exe
1092	System Restore.exe
1884	backup.exe
1052	update.exe
1920	backup.exe
268	backup.exe
2004	backup.exe
1468	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
1740	backup.exe
1740	backup.exe
608	backup.exe
608	backup.exe
1740	backup.exe
1740	backup.exe
672	System Restore.exe
672	System Restore.exe
1536	backup.exe
1536	backup.exe
672	System Restore.exe
672	System Restore.exe
2036	backup.exe
2036	backup.exe
544	backup.exe
544	backup.exe
544	backup.exe
544	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
1968	update.exe
1968	update.exe
1968	update.exe
940	backup.exe
588	update.exe
588	update.exe
588	update.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
940	backup.exe
1196	backup.exe
1196	backup.exe
1196	backup.exe
1196	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
808	backup.exe
964	backup.exe
1552	backup.exe
1720	backup.exe
1968	backup.exe
588	backup.exe
1164	backup.exe
1740	backup.exe
608	backup.exe
1916	backup.exe
672	System Restore.exe
1536	backup.exe
1496	backup.exe
2036	backup.exe
544	backup.exe
1144	backup.exe
940	backup.exe
980	backup.exe
1448	backup.exe
1376	backup.exe
1140	backup.exe
1120	backup.exe
1968	update.exe
588	update.exe
592	backup.exe
1224	System Restore.exe
1612	backup.exe
1580	backup.exe
1196	backup.exe
568	backup.exe
560	backup.exe
1760	backup.exe
1920	backup.exe
268	backup.exe
2004	backup.exe
1468	backup.exe
1904	backup.exe
1072	backup.exe
2012	backup.exe
1972	backup.exe
1112	backup.exe
840	backup.exe
1764	backup.exe
1292	backup.exe
904	update.exe
1088	backup.exe
836	backup.exe
960	backup.exe
968	backup.exe
1688	backup.exe
1728	backup.exe
588	backup.exe
1692	backup.exe
1708	backup.exe
1704	data.exe
1580	update.exe
1092	System Restore.exe
1884	backup.exe
1052	update.exe
1920	backup.exe
268	backup.exe
2004	backup.exe
1468	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 808	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	27
PID 108 wrote to memory of 808	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	27
PID 108 wrote to memory of 808	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	27
PID 108 wrote to memory of 808	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	27
PID 108 wrote to memory of 964	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	28
PID 108 wrote to memory of 964	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	28
PID 108 wrote to memory of 964	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	28
PID 108 wrote to memory of 964	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	28
PID 108 wrote to memory of 1552	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	29
PID 108 wrote to memory of 1552	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	29
PID 108 wrote to memory of 1552	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	29
PID 108 wrote to memory of 1552	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	29
PID 108 wrote to memory of 1720	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	30
PID 108 wrote to memory of 1720	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	30
PID 108 wrote to memory of 1720	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	30
PID 108 wrote to memory of 1720	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	30
PID 108 wrote to memory of 1968	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	31
PID 108 wrote to memory of 1968	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	31
PID 108 wrote to memory of 1968	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	31
PID 108 wrote to memory of 1968	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	31
PID 108 wrote to memory of 588	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	32
PID 108 wrote to memory of 588	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	32
PID 108 wrote to memory of 588	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	32
PID 108 wrote to memory of 588	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	32
PID 108 wrote to memory of 1164	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	33
PID 108 wrote to memory of 1164	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	33
PID 108 wrote to memory of 1164	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	33
PID 108 wrote to memory of 1164	108	3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe	33
PID 808 wrote to memory of 1740	808	backup.exe	34
PID 808 wrote to memory of 1740	808	backup.exe	34
PID 808 wrote to memory of 1740	808	backup.exe	34
PID 808 wrote to memory of 1740	808	backup.exe	34
PID 1740 wrote to memory of 608	1740	backup.exe	35
PID 1740 wrote to memory of 608	1740	backup.exe	35
PID 1740 wrote to memory of 608	1740	backup.exe	35
PID 1740 wrote to memory of 608	1740	backup.exe	35
PID 608 wrote to memory of 1916	608	backup.exe	36
PID 608 wrote to memory of 1916	608	backup.exe	36
PID 608 wrote to memory of 1916	608	backup.exe	36
PID 608 wrote to memory of 1916	608	backup.exe	36
PID 1740 wrote to memory of 672	1740	backup.exe	37
PID 1740 wrote to memory of 672	1740	backup.exe	37
PID 1740 wrote to memory of 672	1740	backup.exe	37
PID 1740 wrote to memory of 672	1740	backup.exe	37
PID 672 wrote to memory of 1536	672	System Restore.exe	38
PID 672 wrote to memory of 1536	672	System Restore.exe	38
PID 672 wrote to memory of 1536	672	System Restore.exe	38
PID 672 wrote to memory of 1536	672	System Restore.exe	38
PID 1536 wrote to memory of 1496	1536	backup.exe	39
PID 1536 wrote to memory of 1496	1536	backup.exe	39
PID 1536 wrote to memory of 1496	1536	backup.exe	39
PID 1536 wrote to memory of 1496	1536	backup.exe	39
PID 672 wrote to memory of 2036	672	System Restore.exe	41
PID 672 wrote to memory of 2036	672	System Restore.exe	41
PID 672 wrote to memory of 2036	672	System Restore.exe	41
PID 672 wrote to memory of 2036	672	System Restore.exe	41
PID 2036 wrote to memory of 544	2036	backup.exe	40
PID 2036 wrote to memory of 544	2036	backup.exe	40
PID 2036 wrote to memory of 544	2036	backup.exe	40
PID 2036 wrote to memory of 544	2036	backup.exe	40
PID 544 wrote to memory of 1144	544	backup.exe	42
PID 544 wrote to memory of 1144	544	backup.exe	42
PID 544 wrote to memory of 1144	544	backup.exe	42
PID 544 wrote to memory of 1144	544	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe
"C:\Users\Admin\AppData\Local\Temp\3c4cad558c13079bd2a041eaa307b192f3314956d6ec0412c83711602fec82e7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\4122882597\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4122882597\backup.exe C:\Users\Admin\AppData\Local\Temp\4122882597\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:808
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:608
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:672
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2036
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1760
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1528
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1844
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1400
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1808
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2020
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1196
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:316
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1900
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1144
        
        C:\Program Files\Common Files\System\en-US\data.exe
        
        "C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1976
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1708
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1828
        
        C:\Program Files\Common Files\System\msadc\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\data.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:844
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1940
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1120
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:432
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:240
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1088
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:1120
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1388
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1224
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1932
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1108
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:340
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:392
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        
        PID:596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        
        PID:760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1844
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1924
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:968
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1460
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1832
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1072
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:876
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:916
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1380
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1108
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1528
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:1468
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:628
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1164
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:856
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1292
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1608
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:688
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1628
    - - C:\Program Files (x86)\Internet Explorer\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\update.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1828
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:268
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:932
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1128
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        
        PID:1368
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1936
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:588
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1164

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1144
- C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:940
- - C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:980
- - C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1376
- - C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1140
- - C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1968
- - C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:588
- - C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:592
- - C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1612
- - C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1196
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:568
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:560
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1760
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1920
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:268
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2004
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1468
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1904
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1072
- - C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2012
- - C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1112
- - C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:840
- - C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    PID:1152
- - C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1292
- - C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:904
- - C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1088
- - C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:960
- - C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:968
- - C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1688
- - C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1728
- - C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:588
- - C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1092
- - C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1052
- - C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1920
- - C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:268
- - C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2004
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1468
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    PID:1904
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
    3⤵
    - Disables RegEdit via registry modification
    PID:932
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:432
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2012
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:472
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
    3⤵
    PID:776
- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
  2⤵
  - Disables RegEdit via registry modification
  PID:1936
- - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    PID:240
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
  2⤵
  PID:980
- C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
  2⤵
  PID:628
- C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  - System policy modification
  PID:1448
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:904
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
    3⤵
    - Disables RegEdit via registry modification
    PID:1128
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    PID:1140
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1976
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:1720
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:968
- C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
  2⤵
  - Drops file in Program Files directory
  PID:1700
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1684
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
    3⤵
    PID:1188
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1252
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:1692
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
    3⤵
    - Disables RegEdit via registry modification
    PID:1608
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:1108
- C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System policy modification
  PID:1680
- C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
  2⤵
  - System policy modification
  PID:340
- C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System policy modification
  PID:596
- - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:608
  - - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
      4⤵
      PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7ceb730a0fd1827b6d6bf4c431540c13

SHA1
8dbbb3ba4a68be83ddced63b88f8e89dbb402460

SHA256
28cb803e766eba34a55b5d0f6aa1e754d5482dcb9c9c23101beef9f4838b9e53

SHA512
cbbc3a2c870817a44208d3d6569904ba834e1a3861e377e4d17eecf7da7416bf483877120499c8b76a891f322cc8595e624273ef04f278e282494d8ebf9fe2a3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0760bbc561e5e8804976cdb2b771060f

SHA1
18ff0cf5513b4f2f04d128dad5e04b4310c96089

SHA256
f6423e61d2cdc06f5e0c2711220c29f15f6a1a0e7bd248e12aa029c71e3e3185

SHA512
96544fd85cd7ee3cd88bd4a12865357622b5afa0fd305e9129b80591fedd0f3b68106a51115a91eb2b823205f7a3389e8a9e5118d9b22b6eb743a23153836f8a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0760bbc561e5e8804976cdb2b771060f

SHA1
18ff0cf5513b4f2f04d128dad5e04b4310c96089

SHA256
f6423e61d2cdc06f5e0c2711220c29f15f6a1a0e7bd248e12aa029c71e3e3185

SHA512
96544fd85cd7ee3cd88bd4a12865357622b5afa0fd305e9129b80591fedd0f3b68106a51115a91eb2b823205f7a3389e8a9e5118d9b22b6eb743a23153836f8a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
C:\Users\Admin\AppData\Local\Temp\4122882597\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4122882597\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cb82f94bdffad2267fce4a92019d9309

SHA1
db1e366fda50fcfe8497ba84ab25e09d611e0bf7

SHA256
7c85b0479194821eac9c001c6caa6e22b8022555d413047d555eac9035410943

SHA512
142270dfb72dd64ef7c64da8e96a87ca0923ae0c904556199c64136b8233daa450a895fca93af6a90055493e48aed03acf4cae3d7357ff3a1613401ffd86295e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cb82f94bdffad2267fce4a92019d9309

SHA1
db1e366fda50fcfe8497ba84ab25e09d611e0bf7

SHA256
7c85b0479194821eac9c001c6caa6e22b8022555d413047d555eac9035410943

SHA512
142270dfb72dd64ef7c64da8e96a87ca0923ae0c904556199c64136b8233daa450a895fca93af6a90055493e48aed03acf4cae3d7357ff3a1613401ffd86295e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7ceb730a0fd1827b6d6bf4c431540c13

SHA1
8dbbb3ba4a68be83ddced63b88f8e89dbb402460

SHA256
28cb803e766eba34a55b5d0f6aa1e754d5482dcb9c9c23101beef9f4838b9e53

SHA512
cbbc3a2c870817a44208d3d6569904ba834e1a3861e377e4d17eecf7da7416bf483877120499c8b76a891f322cc8595e624273ef04f278e282494d8ebf9fe2a3

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7ceb730a0fd1827b6d6bf4c431540c13

SHA1
8dbbb3ba4a68be83ddced63b88f8e89dbb402460

SHA256
28cb803e766eba34a55b5d0f6aa1e754d5482dcb9c9c23101beef9f4838b9e53

SHA512
cbbc3a2c870817a44208d3d6569904ba834e1a3861e377e4d17eecf7da7416bf483877120499c8b76a891f322cc8595e624273ef04f278e282494d8ebf9fe2a3

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eaa3f25c2bc42d68a50e89d1b9f75866

SHA1
737b5539308f1bfc712dc088682934c8e54f49d0

SHA256
68757fa8144e499fca0a171cd068e0a0f54f1f9a8c169d01c2becf2c341480fd

SHA512
811bcb05f0f9cb258da4d3ddb8bed175e137ca19dda8c4e9490f5c2d0db01a731eb9c7ba426989271d52f7854888c47bd0b7c44482ab3d6d9e5ee1b63128912a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0760bbc561e5e8804976cdb2b771060f

SHA1
18ff0cf5513b4f2f04d128dad5e04b4310c96089

SHA256
f6423e61d2cdc06f5e0c2711220c29f15f6a1a0e7bd248e12aa029c71e3e3185

SHA512
96544fd85cd7ee3cd88bd4a12865357622b5afa0fd305e9129b80591fedd0f3b68106a51115a91eb2b823205f7a3389e8a9e5118d9b22b6eb743a23153836f8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0760bbc561e5e8804976cdb2b771060f

SHA1
18ff0cf5513b4f2f04d128dad5e04b4310c96089

SHA256
f6423e61d2cdc06f5e0c2711220c29f15f6a1a0e7bd248e12aa029c71e3e3185

SHA512
96544fd85cd7ee3cd88bd4a12865357622b5afa0fd305e9129b80591fedd0f3b68106a51115a91eb2b823205f7a3389e8a9e5118d9b22b6eb743a23153836f8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
313d10031e7510406914963ee4441762

SHA1
adc3d91b688f9645357f20eb61e78b77aef476de

SHA256
27ac726113c37dfd42d278bbef8083638e9f8549b87eccd72ede6aaff0de49eb

SHA512
211ee1f1b4aab6956133645037dcc48d281272a4fca17bf9a6b1ec8bb10500357a9040a899188fd7f842d3190bfe565e473239ce052a874f0dce60b3370f1cad

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5e4666ddee1924ecaf63b410666f661d

SHA1
130f1d6dad7518a0ab9c06340eb306ee7b436f62

SHA256
98734cae99173544dc3ed0b16a13209692531bceb4e979b12dbc91a6b4a13a43

SHA512
500b693cddcebf3b603f909bd589b078660349f168e8810ee67352cabb5a6913f6bbff0ac622f9f9ce660b481a189cc5696d0888f1efb3389ab86616bcbbea4c

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
5123f11f2138b14286d08260a4640750

SHA1
3e16ba9b5e561fb7b11302184f846455b03a7997

SHA256
76a4f99e14a3e2213cc723297ae015b68d84eb097dc3a34f6b08a4ca51c3aa40

SHA512
b50c26144fee43bb580d6c102bdc456dd6b02dbf0c23039ad47d45cb670e19efcfdda3f9eafd735bb263f267cc9b3c88c35c3a0af982dc3d47c617a12b4add70

Download Submit
\Users\Admin\AppData\Local\Temp\4122882597\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\4122882597\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d9dfeb203b6371e6a80b479db0d6462c

SHA1
f688ada3fe115dd8f62c45c76ebc44ee7775390d

SHA256
bd419dc00a9f3bcb4722a66f4bc6d4d0c8633626cdd83ed38f0cf211e50f37b1

SHA512
77bbceee5b5996fa170177140bc89a636bff669a2c74b034438863aa217dc7aa5b44954354d4248540da2a36e9b95b0acb0c2fa7488e84228f1ff7e074b6682d

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9976b76c31ae335e36732e0ce70bbf0b

SHA1
ac1cdc68a287c0106bad48efba67245d7279a9d7

SHA256
bda6fe9fe1377fbfd79d83b40734c704a3bbee6c3ccb8c030bc2d792b8ba7fab

SHA512
f7a85f3770a751f94b7f818ebb60b68d4421800c22eccea79921168ac40eaed18c30e1041c638dce08a08ece33c95cc6529deabf075643cb49a1c3a8d834346b

Download Submit
memory/108-118-0x0000000074931000-0x0000000074933000-memory.dmp

Filesize
8KB

Download
memory/108-98-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads