1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5

Analysis

max time kernel
68s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
Size

72KB
MD5

00dff1977e0e8599d750e1b4674f7b87
SHA1

72b4b9304783070dafd37fe7aed3a907bc4fcc33
SHA256

1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5
SHA512

143f9543d24591121e2a5ac66a826d82ce2a7b23f719ab2ed496ac498c9df26a903c53b3ee83acc553b2608868ef2ba3b04c5cfed180e1be460f18ac99888431
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPh/:ieTce/U/hKYuKP5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1152	update.exe
1928	backup.exe
1744	backup.exe
2032	data.exe
1972	backup.exe
1712	backup.exe
1764	backup.exe
1112	backup.exe
1320	backup.exe
1944	backup.exe
1828	backup.exe
1664	backup.exe
1120	backup.exe
1468	backup.exe
304	backup.exe
1116	backup.exe
1576	backup.exe
2036	backup.exe
112	backup.exe
1992	backup.exe
1968	backup.exe
1892	backup.exe
1972	backup.exe
1964	backup.exe
1704	backup.exe
1324	backup.exe
1332	backup.exe
1940	backup.exe
1444	backup.exe
1676	backup.exe
1660	backup.exe
1832	backup.exe
1408	backup.exe
472	backup.exe
676	backup.exe
592	backup.exe
1984	backup.exe
1664	backup.exe
1168	backup.exe
1952	backup.exe
984	backup.exe
1600	backup.exe
2036	backup.exe
112	backup.exe
1992	backup.exe
1968	backup.exe
1892	backup.exe
1972	backup.exe
1964	backup.exe
1704	backup.exe
1324	backup.exe
1332	data.exe
1940	backup.exe
652	backup.exe
1204	backup.exe
1736	backup.exe
1280	backup.exe
1192	backup.exe
1364	backup.exe
1272	backup.exe
456	backup.exe
1996	backup.exe
1664	data.exe
876	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
1152	update.exe
1152	update.exe
1152	update.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
1112	backup.exe
1112	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1320	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1112	backup.exe
1112	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1664	backup.exe
1664	backup.exe
1664	backup.exe
1664	backup.exe
1664	backup.exe
1120	backup.exe
1120	backup.exe
1120	backup.exe
1828	backup.exe
1828	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
304	backup.exe
304	backup.exe
304	backup.exe
304	backup.exe
304	backup.exe
1116	backup.exe
1116	backup.exe
1116	backup.exe
304	backup.exe
304	backup.exe
1576	backup.exe
1576	backup.exe
1576	backup.exe
1576	backup.exe
1576	backup.exe
2036	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
1152	update.exe
1928	backup.exe
1744	backup.exe
2032	data.exe
1972	backup.exe
1712	backup.exe
1764	backup.exe
1112	backup.exe
1320	backup.exe
1944	backup.exe
1828	backup.exe
1664	backup.exe
1120	backup.exe
1468	backup.exe
304	backup.exe
1116	backup.exe
1576	backup.exe
2036	backup.exe
112	backup.exe
1992	backup.exe
1968	backup.exe
1892	backup.exe
1972	backup.exe
1964	backup.exe
1704	backup.exe
1324	backup.exe
1332	backup.exe
1940	backup.exe
1444	backup.exe
1676	backup.exe
1660	backup.exe
1832	backup.exe
1408	backup.exe
472	backup.exe
676	backup.exe
592	backup.exe
1984	backup.exe
1664	backup.exe
1952	backup.exe
984	backup.exe
1600	backup.exe
2036	backup.exe
112	backup.exe
1992	backup.exe
1968	backup.exe
1892	backup.exe
1972	backup.exe
1964	backup.exe
1704	backup.exe
1324	backup.exe
1332	data.exe
1940	backup.exe
652	backup.exe
1204	backup.exe
1736	backup.exe
1280	backup.exe
1192	backup.exe
1364	backup.exe
1272	backup.exe
456	backup.exe
1996	backup.exe
1664	data.exe
876	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1152	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	27
PID 284 wrote to memory of 1928	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	28
PID 284 wrote to memory of 1928	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	28
PID 284 wrote to memory of 1928	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	28
PID 284 wrote to memory of 1928	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	28
PID 284 wrote to memory of 1744	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	29
PID 284 wrote to memory of 1744	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	29
PID 284 wrote to memory of 1744	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	29
PID 284 wrote to memory of 1744	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	29
PID 284 wrote to memory of 2032	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	30
PID 284 wrote to memory of 2032	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	30
PID 284 wrote to memory of 2032	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	30
PID 284 wrote to memory of 2032	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	30
PID 284 wrote to memory of 1972	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	31
PID 284 wrote to memory of 1972	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	31
PID 284 wrote to memory of 1972	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	31
PID 284 wrote to memory of 1972	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	31
PID 284 wrote to memory of 1712	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	32
PID 284 wrote to memory of 1712	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	32
PID 284 wrote to memory of 1712	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	32
PID 284 wrote to memory of 1712	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	32
PID 284 wrote to memory of 1764	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	33
PID 284 wrote to memory of 1764	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	33
PID 284 wrote to memory of 1764	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	33
PID 284 wrote to memory of 1764	284	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe	33
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1152 wrote to memory of 1112	1152	update.exe	34
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1112 wrote to memory of 1320	1112	backup.exe	35
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1320 wrote to memory of 1944	1320	backup.exe	36
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1112 wrote to memory of 1828	1112	backup.exe	37
PID 1828 wrote to memory of 1664	1828	backup.exe	38
PID 1828 wrote to memory of 1664	1828	backup.exe	38
PID 1828 wrote to memory of 1664	1828	backup.exe	38
PID 1828 wrote to memory of 1664	1828	backup.exe	38
PID 1828 wrote to memory of 1664	1828	backup.exe	38

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe
"C:\Users\Admin\AppData\Local\Temp\1458ac83890fa3e4c25cfce61829c06740423ecd811abe8682f8d600406613e5.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:284
- C:\Users\Admin\AppData\Local\Temp\482789143\update.exe
  C:\Users\Admin\AppData\Local\Temp\482789143\update.exe C:\Users\Admin\AppData\Local\Temp\482789143\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1112
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1944
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1828
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1664
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1120
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1468
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1344
      - C:\Program Files\Common Files\Services\System Restore.exe
        
        "C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:296
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:984
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:608
        
        C:\Program Files\Common Files\System\ado\update.exe
        
        "C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1800
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:848
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1664
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1992
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1600
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:524
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1920
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1192
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2024
      - C:\Program Files\DVD Maker\en-US\update.exe
        
        "C:\Program Files\DVD Maker\en-US\update.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1896
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1980
      - C:\Program Files\DVD Maker\fr-FR\data.exe
        
        "C:\Program Files\DVD Maker\fr-FR\data.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:592
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1700
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:652
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1172
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2008
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1352
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1676
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:268
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1320
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1104
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1688
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:568
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1456
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1832
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1684
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1620
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1140
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:968
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:676
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1728
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1916
    - - C:\Program Files\Microsoft Games\data.exe
        
        "C:\Program Files\Microsoft Games\data.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1940
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1116
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1912
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      System policy modification
      PID:664
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1604
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1820
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:472
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:936
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1300
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1932
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2040
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1544
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1332
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:2000
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1928
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:920
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1120
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1184
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1856
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1760
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:616
      - C:\Users\Admin\Music\System Restore.exe
        
        "C:\Users\Admin\Music\System Restore.exe" C:\Users\Admin\Music\
        6⤵
        
        PID:2060
    - - C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        5⤵
        
        PID:1488
      - C:\Users\Public\Documents\data.exe
        
        C:\Users\Public\Documents\data.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1056
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:844
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1380
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1572
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e433e8ab635305676d575fb8e268f0e1

SHA1
36eed885189b8e2b6d8a51d4afece9899c64b4fd

SHA256
20e1019c75469cfb5d875726f912a2e5d8e01f25c9f7d17a79bd685030ad9920

SHA512
a531d968cde853c0f79487afd6e8bbb4bd5b4e1dedcdab35d5542986202b55c2cc7090d81af935a04153fe4e456dde3f33bb9c9ded4ed178d9b9b98fd7025b75

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e433e8ab635305676d575fb8e268f0e1

SHA1
36eed885189b8e2b6d8a51d4afece9899c64b4fd

SHA256
20e1019c75469cfb5d875726f912a2e5d8e01f25c9f7d17a79bd685030ad9920

SHA512
a531d968cde853c0f79487afd6e8bbb4bd5b4e1dedcdab35d5542986202b55c2cc7090d81af935a04153fe4e456dde3f33bb9c9ded4ed178d9b9b98fd7025b75

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d49bb0bb0dffe38fb6860e4ba5d55a80

SHA1
30b572dfd553a73118f519014b0744e45a9d9aaf

SHA256
7a96003c92339ec78b72b6e0d4ce4ac77289b464ce010439105aa48da0f71387

SHA512
4bf4241cdc2a647eadade27f5093cb6da65d65bcf38896b6362c97a30fcf55184296e3afa2828a30a0759ca60fac038840c75875c53e6866633e861fb141ba4d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
00b5e3d5b3f83ad621a4b6c97aa4ebd3

SHA1
cf6e25087688446aa92cdd5ed711c7e30e1f7338

SHA256
5bcfb489b3d2027f674636027644f6bf3fa107ef690236116a935e694382b3c5

SHA512
d3eebf48dd12d71d78d52c684d123082f9833541cab56e713df6849da70dd537a736cbae6443c13cbaf6e14f3e52afad66ba4b4b0a9349765b3f4f5ff0f0db05

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ef59e8d44fefe8658416ebea1aac84a2

SHA1
72927681c0cbded77e0646b819e2701060ee92c7

SHA256
0ed0f4dfb468d8316145d33b782edd234f8061fefab81fe1bdbdd7c02c6234e7

SHA512
58c1a75ad61be550208b3bb7fe3efd3ea1a8cd3891446753bcab358bfcc55b5479c08ab75ac4c0345a914c4e1f5d2f63ca1f0827e21ca39370f210af19a48445

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7be0871d7df8dba39f7beca88ea810ae

SHA1
94e79a8abf2a7892c515131bd54012260699d466

SHA256
7a7b136c679994ac9fe76e8ac23367727b0c81b66f770140eebd5e86d46f6084

SHA512
b83908318611afaeb11bcf0c9814dace121d064dd8067383f22bc5a55e9eb04bea114dc3e79f05284fdb30724d80c0b3e237ae73bf1302c275b16e409c4006d3

Download Submit
\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\482789143\update.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7b4e48fb9adf060df49d63b31b048d57

SHA1
37341a7a9d110bf63d1333419f51e09a6a72e08e

SHA256
0cb279f48e9e514c24a667a191d5325323724c9a11a6f1a59df2a0b5778ff14d

SHA512
5db50b0a3821fcaba7c21dfc730a080bef6c472c47a6d1a17e4d0a3370ea41934bd933a71fdff5326cd20cd33554180f98f0e84a0acff09696e96e879d2bca29

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59f09245b9880e078b43909de5ea271d

SHA1
f9150004daa965f127f627bdfe03cf9addedd27b

SHA256
5d619f6f17898e9023c8947977d80e0c20d2b3e607355ae99501f62d08939650

SHA512
e92b4267fcfcb7e4163ffddd62822c69d866fceaafbb428850fed7bc9373a0b12878f1f78f7a65dd8dc5de84df513e6dba4a35eb37c31f21bc658122f6691146

Download Submit
memory/284-131-0x0000000074031000-0x0000000074033000-memory.dmp

Filesize
8KB

Download
memory/1152-60-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads