036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253

Analysis

max time kernel
149s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
Size

72KB
MD5

0da185ae18621904e5a2d3e34dc908e4
SHA1

9bc187e8b1587d27e9cd1971917217b4dab5cac4
SHA256

036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253
SHA512

55790de2b1c04362a1acaf2a912e010792bfc7d6e61347d2ee1b28f32ba27c46594923563d4eccd2c7da74f0e6b88c112c081b91856aba6700b3e88722a726c2
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2Q:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPk

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1936	backup.exe
1640	backup.exe
964	backup.exe
584	backup.exe
1568	data.exe
1308	backup.exe
1520	backup.exe
1444	System Restore.exe
876	backup.exe
1668	backup.exe
560	backup.exe
640	backup.exe
1488	backup.exe
288	update.exe
816	backup.exe
1168	backup.exe
1536	backup.exe
1968	data.exe
1920	backup.exe
388	backup.exe
1416	backup.exe
292	backup.exe
1568	backup.exe
1952	backup.exe
1292	backup.exe
844	backup.exe
1396	backup.exe
1660	backup.exe
820	backup.exe
1668	backup.exe
544	backup.exe
2032	backup.exe
1004	backup.exe
2008	backup.exe
1312	backup.exe
1892	backup.exe
1864	backup.exe
1488	backup.exe
932	backup.exe
1272	backup.exe
1928	backup.exe
1648	backup.exe
1980	backup.exe
2016	backup.exe
1920	backup.exe
780	backup.exe
1416	backup.exe
1076	backup.exe
916	backup.exe
1028	backup.exe
1944	backup.exe
1264	backup.exe
360	backup.exe
1260	data.exe
1992	backup.exe
840	backup.exe
592	backup.exe
1280	backup.exe
880	backup.exe
1664	backup.exe
2008	backup.exe
932	backup.exe
1692	System Restore.exe
1540	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1444	System Restore.exe
1444	System Restore.exe
876	backup.exe
876	backup.exe
1444	System Restore.exe
1444	System Restore.exe
560	backup.exe
560	backup.exe
640	backup.exe
640	backup.exe
560	backup.exe
288	update.exe
288	update.exe
288	update.exe
288	update.exe
288	update.exe
816	backup.exe
816	backup.exe
816	backup.exe
816	backup.exe
816	backup.exe
1168	backup.exe
1168	backup.exe
1168	backup.exe
816	backup.exe
816	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1968	data.exe
1968	data.exe
1968	data.exe
1536	backup.exe
1536	backup.exe
1920	backup.exe
1920	backup.exe
1920	backup.exe
1536	backup.exe
1536	backup.exe
388	backup.exe
388	backup.exe
388	backup.exe
1536	backup.exe
1536	backup.exe
1416	backup.exe
1416	backup.exe
1416	backup.exe
1536	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\update.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	System Restore.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
1936	backup.exe
1640	backup.exe
964	backup.exe
584	backup.exe
1568	data.exe
1308	backup.exe
1520	backup.exe
1444	System Restore.exe
876	backup.exe
1668	backup.exe
560	backup.exe
640	backup.exe
1488	backup.exe
288	update.exe
816	backup.exe
1168	backup.exe
1536	backup.exe
1968	data.exe
1920	backup.exe
388	backup.exe
1416	backup.exe
292	backup.exe
1568	backup.exe
1952	backup.exe
1292	backup.exe
844	backup.exe
1396	backup.exe
1660	backup.exe
820	backup.exe
1668	backup.exe
544	backup.exe
2032	backup.exe
1004	backup.exe
1312	backup.exe
2008	backup.exe
1488	backup.exe
1864	backup.exe
1892	backup.exe
1272	backup.exe
1928	backup.exe
2016	backup.exe
1980	backup.exe
780	backup.exe
1648	backup.exe
916	backup.exe
1920	backup.exe
1416	backup.exe
1076	backup.exe
1028	backup.exe
1944	backup.exe
1264	backup.exe
1664	backup.exe
1992	backup.exe
1260	data.exe
840	backup.exe
360	backup.exe
1280	backup.exe
592	backup.exe
880	backup.exe
1540	backup.exe
1692	System Restore.exe
1488	backup.exe
1168	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1936	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	27
PID 1988 wrote to memory of 1936	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	27
PID 1988 wrote to memory of 1936	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	27
PID 1988 wrote to memory of 1936	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	27
PID 1988 wrote to memory of 1640	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	28
PID 1988 wrote to memory of 1640	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	28
PID 1988 wrote to memory of 1640	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	28
PID 1988 wrote to memory of 1640	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	28
PID 1988 wrote to memory of 964	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	29
PID 1988 wrote to memory of 964	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	29
PID 1988 wrote to memory of 964	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	29
PID 1988 wrote to memory of 964	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	29
PID 1988 wrote to memory of 584	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	30
PID 1988 wrote to memory of 584	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	30
PID 1988 wrote to memory of 584	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	30
PID 1988 wrote to memory of 584	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	30
PID 1988 wrote to memory of 1568	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	31
PID 1988 wrote to memory of 1568	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	31
PID 1988 wrote to memory of 1568	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	31
PID 1988 wrote to memory of 1568	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	31
PID 1988 wrote to memory of 1308	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	32
PID 1988 wrote to memory of 1308	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	32
PID 1988 wrote to memory of 1308	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	32
PID 1988 wrote to memory of 1308	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	32
PID 1988 wrote to memory of 1520	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	33
PID 1988 wrote to memory of 1520	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	33
PID 1988 wrote to memory of 1520	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	33
PID 1988 wrote to memory of 1520	1988	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe	33
PID 1936 wrote to memory of 1444	1936	backup.exe	34
PID 1936 wrote to memory of 1444	1936	backup.exe	34
PID 1936 wrote to memory of 1444	1936	backup.exe	34
PID 1936 wrote to memory of 1444	1936	backup.exe	34
PID 1444 wrote to memory of 876	1444	System Restore.exe	35
PID 1444 wrote to memory of 876	1444	System Restore.exe	35
PID 1444 wrote to memory of 876	1444	System Restore.exe	35
PID 1444 wrote to memory of 876	1444	System Restore.exe	35
PID 876 wrote to memory of 1668	876	backup.exe	36
PID 876 wrote to memory of 1668	876	backup.exe	36
PID 876 wrote to memory of 1668	876	backup.exe	36
PID 876 wrote to memory of 1668	876	backup.exe	36
PID 1444 wrote to memory of 560	1444	System Restore.exe	37
PID 1444 wrote to memory of 560	1444	System Restore.exe	37
PID 1444 wrote to memory of 560	1444	System Restore.exe	37
PID 1444 wrote to memory of 560	1444	System Restore.exe	37
PID 560 wrote to memory of 640	560	backup.exe	38
PID 560 wrote to memory of 640	560	backup.exe	38
PID 560 wrote to memory of 640	560	backup.exe	38
PID 560 wrote to memory of 640	560	backup.exe	38
PID 640 wrote to memory of 1488	640	backup.exe	39
PID 640 wrote to memory of 1488	640	backup.exe	39
PID 640 wrote to memory of 1488	640	backup.exe	39
PID 640 wrote to memory of 1488	640	backup.exe	39
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 560 wrote to memory of 288	560	backup.exe	40
PID 288 wrote to memory of 816	288	update.exe	41
PID 288 wrote to memory of 816	288	update.exe	41
PID 288 wrote to memory of 816	288	update.exe	41
PID 288 wrote to memory of 816	288	update.exe	41
PID 288 wrote to memory of 816	288	update.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe
"C:\Users\Admin\AppData\Local\Temp\036d138aa1f2920f31136bfacef1b3e5a645d9d64d9e186a00c4bc7e2776a253.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988
- C:\Users\Admin\AppData\Local\Temp\3777089976\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3777089976\backup.exe C:\Users\Admin\AppData\Local\Temp\3777089976\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1444
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:560
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\Program Files\Common Files\update.exe
        
        "C:\Program Files\Common Files\update.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:288
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2252
        
        C:\Program Files\Common Files\Microsoft Shared\VC\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\data.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2188
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2380
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:320
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2260
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:276
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1444
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2244
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:636
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:932
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1076
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:2160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:2388
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1416
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1880
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1256
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1548
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1508
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1452
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:2212
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2412
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:968
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2104
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1280
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:900
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:612
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1480
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2144
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2348
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        
        PID:1168
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1892
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2176
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2424
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2032
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1312
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2404
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1540
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1264
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1396
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:900
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:292
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1828
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2136
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2356
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:636
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1016
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2372
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2168
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2364
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:916
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1460
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1640
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2012
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1532
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:764
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1028
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2128
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2316
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:556
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:360
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Executes dropped EXE
        
        PID:1540
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:984
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:1252
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1700
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:1644
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1640
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1624
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:2220
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2396
    - - C:\Windows\assembly\update.exe
        
        C:\Windows\assembly\update.exe C:\Windows\assembly\
        5⤵
        
        PID:1992
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2112
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2288
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:584
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
21313ad6d7c281a62af51a0a358c0618

SHA1
636ae35a29096de237deab8626444e0f8efbaeb9

SHA256
8d4bbb26295ebc22826def736874e4ceaa5881dcd23ac0c3f68b4183d54cbcd2

SHA512
7eaf0966e1a087bd683140e6be5c6419155541a87950fd781b58a5ec7a478fb71974de064643900429d7ca22065dacb349a73cb2218b954c248a61e487ed7e97

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
af54b8ccb9eefd42537647602729b4d3

SHA1
e7b061a542b50c932708f2bbed8e93050d0b8e5b

SHA256
38adc9b7fd1682e84745e1d5931587422c2c4871830bbca1e35c7f3654bd3608

SHA512
756fb801c273d4e9f8fb1939196d68e430d92defb300b9f10ceb03f3beacdda390f914dc5fc91d52941d7a7fcad65d7ba92c45f99d928481a0da75c27ad4208f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
af54b8ccb9eefd42537647602729b4d3

SHA1
e7b061a542b50c932708f2bbed8e93050d0b8e5b

SHA256
38adc9b7fd1682e84745e1d5931587422c2c4871830bbca1e35c7f3654bd3608

SHA512
756fb801c273d4e9f8fb1939196d68e430d92defb300b9f10ceb03f3beacdda390f914dc5fc91d52941d7a7fcad65d7ba92c45f99d928481a0da75c27ad4208f

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0933b07ef5675b310d388565c8ca297a

SHA1
032527ab23911cb73c915ec01e7e805e0ec6f813

SHA256
14569f0bec527547199248016900c4ed4444f67c6399dff77d42af79da7d5a87

SHA512
6b5f35293ea90535f2917c3a8ac6b35f3af50ba401f866a3a6e76f4f69082253af5460bf3f11c44bdf5a0825f8569bd5cb2e565854f9b086b6f80cc552366563

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
34b0d7eb6df524454b097c1d7fea6835

SHA1
77f653147c0676d00a951ffd4c96be8270633ee0

SHA256
e58761743e6e2ac42cadef28676a7d9428ed16eeb83c9192a4d55ec9ee6d135d

SHA512
ec7c6a7fe24821b97f702b6640603e838a5093e501132f45fd93fc09b0c25578ec23ad41495e61f2142a1be15292b7735f07d6f920fa248a76d56e7e14247af1

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
34b0d7eb6df524454b097c1d7fea6835

SHA1
77f653147c0676d00a951ffd4c96be8270633ee0

SHA256
e58761743e6e2ac42cadef28676a7d9428ed16eeb83c9192a4d55ec9ee6d135d

SHA512
ec7c6a7fe24821b97f702b6640603e838a5093e501132f45fd93fc09b0c25578ec23ad41495e61f2142a1be15292b7735f07d6f920fa248a76d56e7e14247af1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1be543e825d0eff873e5ac1a53ccc18d

SHA1
b5f2bb8b65d899a2cb0fb6a33c237e728878312e

SHA256
53ef55ffc53bb3e097fd4fa93f971d35247c6b13c067667eaf9f62051912a282

SHA512
7bd1c8d60593ea8a6e7240ec352f8fd29417817c67bf780c9960acda5edba8727b69c9eac956d3aaf3d97e0d0bc953391e595adcbbb4435a6d877fc3af6aeda0

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1be543e825d0eff873e5ac1a53ccc18d

SHA1
b5f2bb8b65d899a2cb0fb6a33c237e728878312e

SHA256
53ef55ffc53bb3e097fd4fa93f971d35247c6b13c067667eaf9f62051912a282

SHA512
7bd1c8d60593ea8a6e7240ec352f8fd29417817c67bf780c9960acda5edba8727b69c9eac956d3aaf3d97e0d0bc953391e595adcbbb4435a6d877fc3af6aeda0

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
015e274f5ad146d7280c4b6093c5a0be

SHA1
a66c5b169d14a125ef2bfa70fc76951b50ef6153

SHA256
9a86d697fbd0f1cfac216a934b89ca355a8100d66d271ebc0a944d6b3fd44908

SHA512
20b842985fee1b816c9faaaf0db8918d841ae611e96e81209ac43d27fad4cd4c90bad81a5ce2be7c953d7e48daf5c77308860c18e9d7a1d2b97ba18e5940f821

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
015e274f5ad146d7280c4b6093c5a0be

SHA1
a66c5b169d14a125ef2bfa70fc76951b50ef6153

SHA256
9a86d697fbd0f1cfac216a934b89ca355a8100d66d271ebc0a944d6b3fd44908

SHA512
20b842985fee1b816c9faaaf0db8918d841ae611e96e81209ac43d27fad4cd4c90bad81a5ce2be7c953d7e48daf5c77308860c18e9d7a1d2b97ba18e5940f821

Download Submit
C:\Users\Admin\AppData\Local\Temp\3777089976\backup.exe

Filesize
72KB

MD5
f168e664f3daae1a7f8d28b4a1beb74f

SHA1
845eb117bf0ba634548d5e5c108673359a7e75d9

SHA256
d6862306efe858b79be352f02eda37e6cc11b216f3dc4fa5cdf5b8e7d488f30a

SHA512
c8ac80326a32cef39551bb01f850a46a53805d0c97bc7add9df17ef623b36b9b44602dfed963c2027d7a0257c4f4c94ff58d112555ad2f12a08dc1a26e108005

Download Submit
C:\Users\Admin\AppData\Local\Temp\3777089976\backup.exe

Filesize
72KB

MD5
f168e664f3daae1a7f8d28b4a1beb74f

SHA1
845eb117bf0ba634548d5e5c108673359a7e75d9

SHA256
d6862306efe858b79be352f02eda37e6cc11b216f3dc4fa5cdf5b8e7d488f30a

SHA512
c8ac80326a32cef39551bb01f850a46a53805d0c97bc7add9df17ef623b36b9b44602dfed963c2027d7a0257c4f4c94ff58d112555ad2f12a08dc1a26e108005

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
21313ad6d7c281a62af51a0a358c0618

SHA1
636ae35a29096de237deab8626444e0f8efbaeb9

SHA256
8d4bbb26295ebc22826def736874e4ceaa5881dcd23ac0c3f68b4183d54cbcd2

SHA512
7eaf0966e1a087bd683140e6be5c6419155541a87950fd781b58a5ec7a478fb71974de064643900429d7ca22065dacb349a73cb2218b954c248a61e487ed7e97

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
21313ad6d7c281a62af51a0a358c0618

SHA1
636ae35a29096de237deab8626444e0f8efbaeb9

SHA256
8d4bbb26295ebc22826def736874e4ceaa5881dcd23ac0c3f68b4183d54cbcd2

SHA512
7eaf0966e1a087bd683140e6be5c6419155541a87950fd781b58a5ec7a478fb71974de064643900429d7ca22065dacb349a73cb2218b954c248a61e487ed7e97

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
af54b8ccb9eefd42537647602729b4d3

SHA1
e7b061a542b50c932708f2bbed8e93050d0b8e5b

SHA256
38adc9b7fd1682e84745e1d5931587422c2c4871830bbca1e35c7f3654bd3608

SHA512
756fb801c273d4e9f8fb1939196d68e430d92defb300b9f10ceb03f3beacdda390f914dc5fc91d52941d7a7fcad65d7ba92c45f99d928481a0da75c27ad4208f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
af54b8ccb9eefd42537647602729b4d3

SHA1
e7b061a542b50c932708f2bbed8e93050d0b8e5b

SHA256
38adc9b7fd1682e84745e1d5931587422c2c4871830bbca1e35c7f3654bd3608

SHA512
756fb801c273d4e9f8fb1939196d68e430d92defb300b9f10ceb03f3beacdda390f914dc5fc91d52941d7a7fcad65d7ba92c45f99d928481a0da75c27ad4208f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0933b07ef5675b310d388565c8ca297a

SHA1
032527ab23911cb73c915ec01e7e805e0ec6f813

SHA256
14569f0bec527547199248016900c4ed4444f67c6399dff77d42af79da7d5a87

SHA512
6b5f35293ea90535f2917c3a8ac6b35f3af50ba401f866a3a6e76f4f69082253af5460bf3f11c44bdf5a0825f8569bd5cb2e565854f9b086b6f80cc552366563

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0933b07ef5675b310d388565c8ca297a

SHA1
032527ab23911cb73c915ec01e7e805e0ec6f813

SHA256
14569f0bec527547199248016900c4ed4444f67c6399dff77d42af79da7d5a87

SHA512
6b5f35293ea90535f2917c3a8ac6b35f3af50ba401f866a3a6e76f4f69082253af5460bf3f11c44bdf5a0825f8569bd5cb2e565854f9b086b6f80cc552366563

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
34b0d7eb6df524454b097c1d7fea6835

SHA1
77f653147c0676d00a951ffd4c96be8270633ee0

SHA256
e58761743e6e2ac42cadef28676a7d9428ed16eeb83c9192a4d55ec9ee6d135d

SHA512
ec7c6a7fe24821b97f702b6640603e838a5093e501132f45fd93fc09b0c25578ec23ad41495e61f2142a1be15292b7735f07d6f920fa248a76d56e7e14247af1

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
34b0d7eb6df524454b097c1d7fea6835

SHA1
77f653147c0676d00a951ffd4c96be8270633ee0

SHA256
e58761743e6e2ac42cadef28676a7d9428ed16eeb83c9192a4d55ec9ee6d135d

SHA512
ec7c6a7fe24821b97f702b6640603e838a5093e501132f45fd93fc09b0c25578ec23ad41495e61f2142a1be15292b7735f07d6f920fa248a76d56e7e14247af1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
c2ace79c7b20de9a04f6a23eebc2f8e5

SHA1
3e3f33bf2bfbba8ebe745d1d28674a0038c63922

SHA256
6e78997fdaeec42224489b4f471f2b6ac2e1e053a4f7fe8ee02738b9b45fef49

SHA512
1322e01b45c046a5e39cfcd3a46c6448cc8462cfbc9a9ce3d5a3d6188ed43cc455d6a391e14a136d467cdf943c1e4fb76c366f0ac8474247f1bb4c4079054a5f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
20b44829ea49b38b54c7ef93f4918819

SHA1
1da3d2c1f8e0f3539b8b8d64dfbc823805fe6dbf

SHA256
ceaa8fe0963fe556084f0eae3e12c441940ca0332ca414a26a9afe09be9275f7

SHA512
741c4af717252a2c78617911b0bac0d213abc6a1499f18c55511376c387913d2298e8bea8e5f763788b9de065a74e0631bc1e92da8fa13783973938ddf465452

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
f3e9f4663bd08eeebbfe476bd35816e6

SHA1
dd544027368986afdbf0cb585325a3c2f992bd87

SHA256
83bcff650cf97d431eab149a8c42c94fb025aa3fef4e95f995841775c6760cd7

SHA512
a777cedeeb8d851ba063b294bae98f8f10991ac04eebaf7e641a0a272622cd0c22206a83e777f23aa51e301a8fd82a8320ad2863fb9e75141f28189cd1d4ecbe

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
1be543e825d0eff873e5ac1a53ccc18d

SHA1
b5f2bb8b65d899a2cb0fb6a33c237e728878312e

SHA256
53ef55ffc53bb3e097fd4fa93f971d35247c6b13c067667eaf9f62051912a282

SHA512
7bd1c8d60593ea8a6e7240ec352f8fd29417817c67bf780c9960acda5edba8727b69c9eac956d3aaf3d97e0d0bc953391e595adcbbb4435a6d877fc3af6aeda0

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
1be543e825d0eff873e5ac1a53ccc18d

SHA1
b5f2bb8b65d899a2cb0fb6a33c237e728878312e

SHA256
53ef55ffc53bb3e097fd4fa93f971d35247c6b13c067667eaf9f62051912a282

SHA512
7bd1c8d60593ea8a6e7240ec352f8fd29417817c67bf780c9960acda5edba8727b69c9eac956d3aaf3d97e0d0bc953391e595adcbbb4435a6d877fc3af6aeda0

Download Submit
\Users\Admin\AppData\Local\Temp\3777089976\backup.exe

Filesize
72KB

MD5
f168e664f3daae1a7f8d28b4a1beb74f

SHA1
845eb117bf0ba634548d5e5c108673359a7e75d9

SHA256
d6862306efe858b79be352f02eda37e6cc11b216f3dc4fa5cdf5b8e7d488f30a

SHA512
c8ac80326a32cef39551bb01f850a46a53805d0c97bc7add9df17ef623b36b9b44602dfed963c2027d7a0257c4f4c94ff58d112555ad2f12a08dc1a26e108005

Download Submit
\Users\Admin\AppData\Local\Temp\3777089976\backup.exe

Filesize
72KB

MD5
f168e664f3daae1a7f8d28b4a1beb74f

SHA1
845eb117bf0ba634548d5e5c108673359a7e75d9

SHA256
d6862306efe858b79be352f02eda37e6cc11b216f3dc4fa5cdf5b8e7d488f30a

SHA512
c8ac80326a32cef39551bb01f850a46a53805d0c97bc7add9df17ef623b36b9b44602dfed963c2027d7a0257c4f4c94ff58d112555ad2f12a08dc1a26e108005

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
870e2d57ed11fdba9471beccdefe5f50

SHA1
06f9a93dcd47eb218d1388c69f24a9c0cd29e1d2

SHA256
b7dd07c9a62af4005b32db9815d5ac85e57806fd695f5c18ccca633d1fecf0f9

SHA512
e9b179ab53c8d618d80323ebdf44d07f3c364e9993096d879b79654fa04f3310c9056eb7edd9a10dc6d0b74ac49d9506b0c7ba72bc2ea6113bce671c4b0ea6b6

Download Submit
memory/1988-98-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1988-159-0x0000000073C51000-0x0000000073C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads