da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf

Analysis

max time kernel
17s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 21:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
Size

72KB
MD5

0346a6c84f2e4cb2d62072f4b78bd3e4
SHA1

7261fbeb01d252b6b2ea7befba6d5378a25db0ff
SHA256

da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf
SHA512

0f7734bf85dcc13ba4c9a69dcb5e52a7f64099e045c21f0ea07db173680780d24ff4b78ee793db09ee81cd45ad48e0fba01d35c8be56752460920ec86f8bd15e
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP3X:ieTce/U/hKYuKPn

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe

Executes dropped EXE 64 IoCs

pid	Process
940	backup.exe
1160	backup.exe
676	update.exe
1720	System Restore.exe
112	backup.exe
1896	backup.exe
364	backup.exe
1792	backup.exe
1152	backup.exe
1920	backup.exe
1984	backup.exe
1816	backup.exe
860	backup.exe
1952	backup.exe
1068	backup.exe
1116	backup.exe
1300	backup.exe
1992	backup.exe
1552	backup.exe
2028	update.exe
1576	backup.exe
1292	backup.exe
1668	backup.exe
1764	backup.exe
1276	backup.exe
624	backup.exe
696	backup.exe
1612	System Restore.exe
1516	backup.exe
1040	backup.exe
1428	backup.exe
2000	backup.exe
1996	backup.exe
1740	backup.exe
1604	backup.exe
1648	backup.exe
1060	backup.exe
1980	backup.exe
812	System Restore.exe
884	backup.exe
1072	backup.exe
840	backup.exe
852	backup.exe
980	backup.exe
644	backup.exe
1124	backup.exe
1884	backup.exe
1160	backup.exe
2028	backup.exe
764	backup.exe
1768	backup.exe
1292	backup.exe
112	backup.exe
1496	backup.exe
624	backup.exe
696	backup.exe
1148	backup.exe
1196	update.exe
1260	backup.exe
1408	System Restore.exe
664	backup.exe
1912	System Restore.exe
1932	backup.exe
1604	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
676	update.exe
676	update.exe
676	update.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
364	backup.exe
364	backup.exe
1152	backup.exe
1152	backup.exe
364	backup.exe
364	backup.exe
1984	backup.exe
1984	backup.exe
1816	backup.exe
1816	backup.exe
1984	backup.exe
1984	backup.exe
1952	backup.exe
1952	backup.exe
1068	backup.exe
1068	backup.exe
1068	backup.exe
1068	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
2028	update.exe
2028	update.exe
2028	update.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1300	backup.exe
1516	backup.exe
1516	backup.exe
1516	backup.exe
1516	backup.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
940	backup.exe
1160	backup.exe
676	update.exe
1720	System Restore.exe
112	backup.exe
1896	backup.exe
364	backup.exe
1792	backup.exe
1152	backup.exe
1920	backup.exe
1984	backup.exe
1816	backup.exe
860	backup.exe
1952	backup.exe
1068	backup.exe
1116	backup.exe
1300	backup.exe
1992	backup.exe
1552	backup.exe
2028	update.exe
1576	backup.exe
1292	backup.exe
1668	backup.exe
1764	backup.exe
1276	backup.exe
624	backup.exe
696	backup.exe
1612	System Restore.exe
1516	backup.exe
1040	backup.exe
1428	backup.exe
2000	backup.exe
1996	backup.exe
1740	backup.exe
1604	backup.exe
1648	backup.exe
1060	backup.exe
1980	backup.exe
812	System Restore.exe
884	backup.exe
1072	backup.exe
840	backup.exe
852	backup.exe
980	backup.exe
644	backup.exe
1124	backup.exe
1884	backup.exe
1160	backup.exe
2028	backup.exe
764	backup.exe
1292	backup.exe
1768	backup.exe
1496	backup.exe
112	backup.exe
624	backup.exe
1148	backup.exe
696	backup.exe
1260	backup.exe
1196	update.exe
1408	System Restore.exe
664	backup.exe
1912	System Restore.exe
1932	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 940	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	27
PID 1696 wrote to memory of 940	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	27
PID 1696 wrote to memory of 940	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	27
PID 1696 wrote to memory of 940	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	27
PID 1696 wrote to memory of 1160	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	28
PID 1696 wrote to memory of 1160	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	28
PID 1696 wrote to memory of 1160	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	28
PID 1696 wrote to memory of 1160	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	28
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 676	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	29
PID 1696 wrote to memory of 1720	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	30
PID 1696 wrote to memory of 1720	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	30
PID 1696 wrote to memory of 1720	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	30
PID 1696 wrote to memory of 1720	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	30
PID 1696 wrote to memory of 112	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	31
PID 1696 wrote to memory of 112	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	31
PID 1696 wrote to memory of 112	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	31
PID 1696 wrote to memory of 112	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	31
PID 1696 wrote to memory of 1896	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	32
PID 1696 wrote to memory of 1896	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	32
PID 1696 wrote to memory of 1896	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	32
PID 1696 wrote to memory of 1896	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	32
PID 940 wrote to memory of 364	940	backup.exe	34
PID 940 wrote to memory of 364	940	backup.exe	34
PID 940 wrote to memory of 364	940	backup.exe	34
PID 940 wrote to memory of 364	940	backup.exe	34
PID 1696 wrote to memory of 1792	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	33
PID 1696 wrote to memory of 1792	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	33
PID 1696 wrote to memory of 1792	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	33
PID 1696 wrote to memory of 1792	1696	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe	33
PID 364 wrote to memory of 1152	364	backup.exe	35
PID 364 wrote to memory of 1152	364	backup.exe	35
PID 364 wrote to memory of 1152	364	backup.exe	35
PID 364 wrote to memory of 1152	364	backup.exe	35
PID 1152 wrote to memory of 1920	1152	backup.exe	36
PID 1152 wrote to memory of 1920	1152	backup.exe	36
PID 1152 wrote to memory of 1920	1152	backup.exe	36
PID 1152 wrote to memory of 1920	1152	backup.exe	36
PID 364 wrote to memory of 1984	364	backup.exe	37
PID 364 wrote to memory of 1984	364	backup.exe	37
PID 364 wrote to memory of 1984	364	backup.exe	37
PID 364 wrote to memory of 1984	364	backup.exe	37
PID 1984 wrote to memory of 1816	1984	backup.exe	38
PID 1984 wrote to memory of 1816	1984	backup.exe	38
PID 1984 wrote to memory of 1816	1984	backup.exe	38
PID 1984 wrote to memory of 1816	1984	backup.exe	38
PID 1816 wrote to memory of 860	1816	backup.exe	39
PID 1816 wrote to memory of 860	1816	backup.exe	39
PID 1816 wrote to memory of 860	1816	backup.exe	39
PID 1816 wrote to memory of 860	1816	backup.exe	39
PID 1984 wrote to memory of 1952	1984	backup.exe	40
PID 1984 wrote to memory of 1952	1984	backup.exe	40
PID 1984 wrote to memory of 1952	1984	backup.exe	40
PID 1984 wrote to memory of 1952	1984	backup.exe	40
PID 1952 wrote to memory of 1068	1952	backup.exe	41
PID 1952 wrote to memory of 1068	1952	backup.exe	41
PID 1952 wrote to memory of 1068	1952	backup.exe	41
PID 1952 wrote to memory of 1068	1952	backup.exe	41
PID 1068 wrote to memory of 1116	1068	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe
"C:\Users\Admin\AppData\Local\Temp\da1fac7bdfd520feb42bc60e502d46561ad837cfbcff5d4d8656f177fa8e4baf.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696
- C:\Users\Admin\AppData\Local\Temp\3755945290\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3755945290\backup.exe C:\Users\Admin\AppData\Local\Temp\3755945290\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:940
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:364
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1152
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1984
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1816
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:860
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2008
      - C:\Program Files\Common Files\Services\System Restore.exe
        
        "C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1408
      - C:\Program Files\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1816
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:812
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1204
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:388
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1040
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1380
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1580
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1620
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1516
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1676
        
        C:\Program Files\Common Files\System\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ja-JP\data.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1184
        
        C:\Program Files\Common Files\System\msadc\update.exe
        
        "C:\Program Files\Common Files\System\msadc\update.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1968
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1196
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:696
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:744
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1404
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1936
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1880
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1152
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1460
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1200
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1572
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1152
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1704
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:892
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2076
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1704
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1116
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1056
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1080
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1904
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1652
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1276
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1900
      - C:\Program Files\Java\jdk1.7.0_80\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\data.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:764
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:364
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1960
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1352
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1604
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1976
    - - C:\Program Files\Reference Assemblies\update.exe
        
        "C:\Program Files\Reference Assemblies\update.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1520
    - - C:\Program Files\VideoLAN\data.exe
        
        "C:\Program Files\VideoLAN\data.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2096
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:644
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1884
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Drops file in Program Files directory
        
        PID:696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1448
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1060
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1712
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:320
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:464
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1040
      - C:\Program Files (x86)\Common Files\microsoft shared\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:976
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:664
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1512
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1408
    - - C:\Program Files (x86)\Google\data.exe
        
        "C:\Program Files (x86)\Google\data.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:568
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1296
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1260
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:388
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2024
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1132
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1120
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2104
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1384
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1640
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1476
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:744
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1204
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:860
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1356
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2012
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1384
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1324
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1112
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1092
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1680
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1832
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1072
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2060
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:676
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:112
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
69f5f4749a7d5771e77025586de459e8

SHA1
c06ebf246dd83d1721606857a02a19bb5477fd31

SHA256
24a0405dde6e7aaaa383563f5c03078b5f92d7b9dfb693f72a28d78b4108131b

SHA512
e9c805d5d78c2c9d74a50d657d376df5d62bad3eb570b4295808397f70e6ca63eab0c0569421976053c30ac9cc8b18130c26ea8f82e229e853bdd2cf76beec4b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b14d69ee622a193053410fcc0fa26e49

SHA1
fc22a592b39573faad6d47bd7d860619065b7b03

SHA256
8968c513e9c29d6f8870794712d441ceef4e80e2bbac13f548bc0106827a8ecc

SHA512
17fa233b5bccf4ae9dda3be17e0b2a7b87cb6d71e0c9ce90b7bd8451e7784b2f1e5a7a90c85416bd5c8bf47993534c7f5f4f0a2f65f516fe9b89bd1e16434a1e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d0cb65c6093e7ffb2869410a446a3b20

SHA1
f18b40c0de173b3b60120858e12c422e32c1457e

SHA256
c9298cbc66d073fa18b9649a96abece8054c764861194d51e9d990b56757ff06

SHA512
c1775a03fe7b07cebbadc3ab1dd56c853345bd6c45dace340e553c9296cdc84823f7ffd1113338f0e9c17c5c729e7dd0ff70d562afa2b8148e96d6f6a265e846

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1ba97889c1bc8b6aaf8af76d6a34e23b

SHA1
dac3e653381d4ae574701d3717dbd6e70da83819

SHA256
de396f514e7b9a13271106ed872640077a17c7b9cd2acb6955e1059c11b3203a

SHA512
239fc0c9a4cd75670e01587ff71ae34cf2eef2215e04caacf3a51666ebf5f89800dabe7dda4706ed43da3f01abb855556fdda8a4c25127ba3aea53d635cd1c4e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1ba97889c1bc8b6aaf8af76d6a34e23b

SHA1
dac3e653381d4ae574701d3717dbd6e70da83819

SHA256
de396f514e7b9a13271106ed872640077a17c7b9cd2acb6955e1059c11b3203a

SHA512
239fc0c9a4cd75670e01587ff71ae34cf2eef2215e04caacf3a51666ebf5f89800dabe7dda4706ed43da3f01abb855556fdda8a4c25127ba3aea53d635cd1c4e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
edc21bc549ec3fa85cb01947fa1688a1

SHA1
f23e1d70e3d92e49a0fb30f513e1a45b326eb9aa

SHA256
bc1a173e8c72572beb5ca1c14c61b66ca58470981305ebb7e429c10ae486d8c2

SHA512
6b69c49c4829cb4a85c71efc9018f6996197a38451fbb30f33a6bb97bf01a1cbd21636fa9d97d1d6f830e06a85f5df5a3dad4f6df619d0dcbbd5bc7985185b26

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8b554bfa1b986bb7d76d796a5cbd4431

SHA1
dc8f9954929230aac133434bef6cd9baeb7b4bf4

SHA256
8d7766752edfb71016c0b19c4e71867178dbc8ea02d498765a915987a22fd525

SHA512
f924ea0e0f83c9abf4aa02c5113a3c7de86ebabc736f753366a4727d676524134338dfd582f15ff1221edea8d552751605835e9c3fbdc463e4d8cfd324e946b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8b554bfa1b986bb7d76d796a5cbd4431

SHA1
dc8f9954929230aac133434bef6cd9baeb7b4bf4

SHA256
8d7766752edfb71016c0b19c4e71867178dbc8ea02d498765a915987a22fd525

SHA512
f924ea0e0f83c9abf4aa02c5113a3c7de86ebabc736f753366a4727d676524134338dfd582f15ff1221edea8d552751605835e9c3fbdc463e4d8cfd324e946b7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
C:\Users\Admin\AppData\Local\Temp\3755945290\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3755945290\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
C:\backup.exe

Filesize
72KB

MD5
fe403b0cb9528252146fc916c7d0c035

SHA1
dd66b07594ee31921b9a4c7c899a96c9fdd8e74d

SHA256
8d9718513234368eb3ff16d7a14a21b399fda89839fd045e3ebd3e569ec94de9

SHA512
35b9a527dad3d14a41a68e22329c4b62d0cca12b248738e95e69515833a5e2adf49d8c504045a1f7bdd9471b36c27b30c9dda2edf86de2093b2393ae068a0aa9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
fe403b0cb9528252146fc916c7d0c035

SHA1
dd66b07594ee31921b9a4c7c899a96c9fdd8e74d

SHA256
8d9718513234368eb3ff16d7a14a21b399fda89839fd045e3ebd3e569ec94de9

SHA512
35b9a527dad3d14a41a68e22329c4b62d0cca12b248738e95e69515833a5e2adf49d8c504045a1f7bdd9471b36c27b30c9dda2edf86de2093b2393ae068a0aa9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
69f5f4749a7d5771e77025586de459e8

SHA1
c06ebf246dd83d1721606857a02a19bb5477fd31

SHA256
24a0405dde6e7aaaa383563f5c03078b5f92d7b9dfb693f72a28d78b4108131b

SHA512
e9c805d5d78c2c9d74a50d657d376df5d62bad3eb570b4295808397f70e6ca63eab0c0569421976053c30ac9cc8b18130c26ea8f82e229e853bdd2cf76beec4b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
69f5f4749a7d5771e77025586de459e8

SHA1
c06ebf246dd83d1721606857a02a19bb5477fd31

SHA256
24a0405dde6e7aaaa383563f5c03078b5f92d7b9dfb693f72a28d78b4108131b

SHA512
e9c805d5d78c2c9d74a50d657d376df5d62bad3eb570b4295808397f70e6ca63eab0c0569421976053c30ac9cc8b18130c26ea8f82e229e853bdd2cf76beec4b

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b14d69ee622a193053410fcc0fa26e49

SHA1
fc22a592b39573faad6d47bd7d860619065b7b03

SHA256
8968c513e9c29d6f8870794712d441ceef4e80e2bbac13f548bc0106827a8ecc

SHA512
17fa233b5bccf4ae9dda3be17e0b2a7b87cb6d71e0c9ce90b7bd8451e7784b2f1e5a7a90c85416bd5c8bf47993534c7f5f4f0a2f65f516fe9b89bd1e16434a1e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b14d69ee622a193053410fcc0fa26e49

SHA1
fc22a592b39573faad6d47bd7d860619065b7b03

SHA256
8968c513e9c29d6f8870794712d441ceef4e80e2bbac13f548bc0106827a8ecc

SHA512
17fa233b5bccf4ae9dda3be17e0b2a7b87cb6d71e0c9ce90b7bd8451e7784b2f1e5a7a90c85416bd5c8bf47993534c7f5f4f0a2f65f516fe9b89bd1e16434a1e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d0cb65c6093e7ffb2869410a446a3b20

SHA1
f18b40c0de173b3b60120858e12c422e32c1457e

SHA256
c9298cbc66d073fa18b9649a96abece8054c764861194d51e9d990b56757ff06

SHA512
c1775a03fe7b07cebbadc3ab1dd56c853345bd6c45dace340e553c9296cdc84823f7ffd1113338f0e9c17c5c729e7dd0ff70d562afa2b8148e96d6f6a265e846

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d0cb65c6093e7ffb2869410a446a3b20

SHA1
f18b40c0de173b3b60120858e12c422e32c1457e

SHA256
c9298cbc66d073fa18b9649a96abece8054c764861194d51e9d990b56757ff06

SHA512
c1775a03fe7b07cebbadc3ab1dd56c853345bd6c45dace340e553c9296cdc84823f7ffd1113338f0e9c17c5c729e7dd0ff70d562afa2b8148e96d6f6a265e846

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1ba97889c1bc8b6aaf8af76d6a34e23b

SHA1
dac3e653381d4ae574701d3717dbd6e70da83819

SHA256
de396f514e7b9a13271106ed872640077a17c7b9cd2acb6955e1059c11b3203a

SHA512
239fc0c9a4cd75670e01587ff71ae34cf2eef2215e04caacf3a51666ebf5f89800dabe7dda4706ed43da3f01abb855556fdda8a4c25127ba3aea53d635cd1c4e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1ba97889c1bc8b6aaf8af76d6a34e23b

SHA1
dac3e653381d4ae574701d3717dbd6e70da83819

SHA256
de396f514e7b9a13271106ed872640077a17c7b9cd2acb6955e1059c11b3203a

SHA512
239fc0c9a4cd75670e01587ff71ae34cf2eef2215e04caacf3a51666ebf5f89800dabe7dda4706ed43da3f01abb855556fdda8a4c25127ba3aea53d635cd1c4e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
edc21bc549ec3fa85cb01947fa1688a1

SHA1
f23e1d70e3d92e49a0fb30f513e1a45b326eb9aa

SHA256
bc1a173e8c72572beb5ca1c14c61b66ca58470981305ebb7e429c10ae486d8c2

SHA512
6b69c49c4829cb4a85c71efc9018f6996197a38451fbb30f33a6bb97bf01a1cbd21636fa9d97d1d6f830e06a85f5df5a3dad4f6df619d0dcbbd5bc7985185b26

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
edc21bc549ec3fa85cb01947fa1688a1

SHA1
f23e1d70e3d92e49a0fb30f513e1a45b326eb9aa

SHA256
bc1a173e8c72572beb5ca1c14c61b66ca58470981305ebb7e429c10ae486d8c2

SHA512
6b69c49c4829cb4a85c71efc9018f6996197a38451fbb30f33a6bb97bf01a1cbd21636fa9d97d1d6f830e06a85f5df5a3dad4f6df619d0dcbbd5bc7985185b26

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8b554bfa1b986bb7d76d796a5cbd4431

SHA1
dc8f9954929230aac133434bef6cd9baeb7b4bf4

SHA256
8d7766752edfb71016c0b19c4e71867178dbc8ea02d498765a915987a22fd525

SHA512
f924ea0e0f83c9abf4aa02c5113a3c7de86ebabc736f753366a4727d676524134338dfd582f15ff1221edea8d552751605835e9c3fbdc463e4d8cfd324e946b7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8b554bfa1b986bb7d76d796a5cbd4431

SHA1
dc8f9954929230aac133434bef6cd9baeb7b4bf4

SHA256
8d7766752edfb71016c0b19c4e71867178dbc8ea02d498765a915987a22fd525

SHA512
f924ea0e0f83c9abf4aa02c5113a3c7de86ebabc736f753366a4727d676524134338dfd582f15ff1221edea8d552751605835e9c3fbdc463e4d8cfd324e946b7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
edc21bc549ec3fa85cb01947fa1688a1

SHA1
f23e1d70e3d92e49a0fb30f513e1a45b326eb9aa

SHA256
bc1a173e8c72572beb5ca1c14c61b66ca58470981305ebb7e429c10ae486d8c2

SHA512
6b69c49c4829cb4a85c71efc9018f6996197a38451fbb30f33a6bb97bf01a1cbd21636fa9d97d1d6f830e06a85f5df5a3dad4f6df619d0dcbbd5bc7985185b26

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2a7240b218bfded81eea490d81d039b0

SHA1
9b17c7f187faceaa4db7abfd9d5e2c2111fcdec4

SHA256
1248a471b1faf6e07f339f7b56786fabe075600da113efb8d18ab3480230aeeb

SHA512
669698b5fbf6210219bc863890f8cd85128cfc11904bf8bbd461764e3c946d6e0cc13c21054fb4ab0624b818de856f19413a8ef10a9b3a857e87f77c194f8069

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b87a28f41a1a7181a6f28f221be7c2c7

SHA1
d8debf26b5edb27c2e615eaaf14d03cf3ecb70ca

SHA256
ef297634cc7a387e166440abdb8862e56918fc2ca8c25378baa157ce524e8088

SHA512
b74b338b4405b4fc9f7348e7d63bf6dcbf48fc1f4f185d335f2518a9d9b8ec1eb5135adaa156803156cc11e1d50ae1a77114f4dedda8f445d23c93af72ff3488

Download Submit
\Users\Admin\AppData\Local\Temp\3755945290\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\3755945290\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f048ed6e4b08951828fecf0dc1d57e7f

SHA1
2762e00d5e4f5d3150950aa76ce854e575119431

SHA256
a3065095303a74be902066c2d7a14894a09fce54fe403f4f211797810af638dc

SHA512
86109df04aedfc89d53e67391c7025daedcbe8a27c68b2ccb0abf5c5ec373310c2b08f10377224c83e644fead69f0082a4ec4f5143e271ed474a5ac10cdef3e7

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ca4b615928a94d45b2f23f03811286b0

SHA1
9643a2942554091dfcb3f570249fbf6526206b48

SHA256
6a25cfcb86de64576d1e800ffbaaaa90128a07d59edfe8a8f6cdaa636de84112

SHA512
87b3abfccea1bb0511c8a7ef8b2b3c0d6022348c1cdb6b3dc7129580c72cf3d16d3c6c491dc0a89faed572cf94f24375a3c161f7c3eec9f212fe7a9af95ac574

Download Submit
memory/676-72-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-148-0x0000000074981000-0x0000000074983000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads