aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb

Analysis

max time kernel
119s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
Size

72KB
MD5

047a0ba054d3122cd0241259d7b73f7f
SHA1

a3c64e1c02b537dd27b6b5b21d939c5a39e327d9
SHA256

aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb
SHA512

1106f29c636cae95e2a16e32857d7d3213c11df9b45572339189ea4e5882307bc928e78629c08d633b618472cdf6495a2bbfc6a7557aca112fde6edb5d0441a6
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf28:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPo

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

Executes dropped EXE 64 IoCs

pid	Process
2044	backup.exe
2000	backup.exe
2012	backup.exe
996	backup.exe
1112	backup.exe
568	backup.exe
1468	backup.exe
1232	backup.exe
1532	backup.exe
668	backup.exe
608	backup.exe
1156	backup.exe
580	System Restore.exe
472	backup.exe
1596	backup.exe
884	backup.exe
540	backup.exe
1996	backup.exe
1988	backup.exe
1980	backup.exe
1676	backup.exe
900	backup.exe
996	backup.exe
1472	backup.exe
1396	backup.exe
332	System Restore.exe
1280	backup.exe
936	backup.exe
1336	backup.exe
1748	backup.exe
1544	backup.exe
1768	backup.exe
320	backup.exe
556	backup.exe
1160	backup.exe
1476	System Restore.exe
580	backup.exe
1452	backup.exe
1840	backup.exe
1936	backup.exe
1616	backup.exe
1652	backup.exe
1076	backup.exe
1944	backup.exe
2020	backup.exe
836	update.exe
2000	backup.exe
1556	backup.exe
1588	backup.exe
892	backup.exe
1568	backup.exe
1624	backup.exe
1112	backup.exe
1668	backup.exe
1396	backup.exe
936	backup.exe
1460	backup.exe
1724	backup.exe
280	backup.exe
944	backup.exe
680	backup.exe
1704	System Restore.exe
1864	System Restore.exe
1252	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
568	backup.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
568	backup.exe
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
1232	backup.exe
1232	backup.exe
568	backup.exe
568	backup.exe
608	backup.exe
608	backup.exe
1156	backup.exe
1156	backup.exe
608	backup.exe
608	backup.exe
472	backup.exe
472	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
540	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
2044	backup.exe
2000	backup.exe
2012	backup.exe
996	backup.exe
1112	backup.exe
1468	backup.exe
568	backup.exe
1532	backup.exe
1232	backup.exe
668	backup.exe
608	backup.exe
1156	backup.exe
580	System Restore.exe
472	backup.exe
1596	backup.exe
884	backup.exe
540	backup.exe
1996	backup.exe
1988	backup.exe
1980	backup.exe
1676	backup.exe
900	backup.exe
996	backup.exe
1472	backup.exe
1396	backup.exe
332	System Restore.exe
1280	backup.exe
936	backup.exe
1336	backup.exe
1748	backup.exe
1544	backup.exe
1768	backup.exe
320	backup.exe
556	backup.exe
1160	backup.exe
1476	System Restore.exe
580	backup.exe
1452	backup.exe
1840	backup.exe
1936	backup.exe
1616	backup.exe
1652	backup.exe
1076	backup.exe
1944	backup.exe
2020	backup.exe
2000	backup.exe
1556	backup.exe
1588	backup.exe
1568	backup.exe
892	backup.exe
1624	backup.exe
1112	backup.exe
1396	backup.exe
1668	backup.exe
936	backup.exe
1460	backup.exe
1724	backup.exe
280	backup.exe
944	backup.exe
680	backup.exe
1704	System Restore.exe
1864	System Restore.exe
1252	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2044	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	27
PID 864 wrote to memory of 2044	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	27
PID 864 wrote to memory of 2044	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	27
PID 864 wrote to memory of 2044	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	27
PID 864 wrote to memory of 2000	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	28
PID 864 wrote to memory of 2000	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	28
PID 864 wrote to memory of 2000	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	28
PID 864 wrote to memory of 2000	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	28
PID 864 wrote to memory of 2012	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	29
PID 864 wrote to memory of 2012	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	29
PID 864 wrote to memory of 2012	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	29
PID 864 wrote to memory of 2012	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	29
PID 864 wrote to memory of 996	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	30
PID 864 wrote to memory of 996	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	30
PID 864 wrote to memory of 996	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	30
PID 864 wrote to memory of 996	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	30
PID 864 wrote to memory of 1112	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	31
PID 864 wrote to memory of 1112	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	31
PID 864 wrote to memory of 1112	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	31
PID 864 wrote to memory of 1112	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	31
PID 2044 wrote to memory of 568	2044	backup.exe	32
PID 2044 wrote to memory of 568	2044	backup.exe	32
PID 2044 wrote to memory of 568	2044	backup.exe	32
PID 2044 wrote to memory of 568	2044	backup.exe	32
PID 864 wrote to memory of 1468	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	33
PID 864 wrote to memory of 1468	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	33
PID 864 wrote to memory of 1468	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	33
PID 864 wrote to memory of 1468	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	33
PID 568 wrote to memory of 1232	568	backup.exe	34
PID 568 wrote to memory of 1232	568	backup.exe	34
PID 568 wrote to memory of 1232	568	backup.exe	34
PID 568 wrote to memory of 1232	568	backup.exe	34
PID 864 wrote to memory of 1532	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	35
PID 864 wrote to memory of 1532	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	35
PID 864 wrote to memory of 1532	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	35
PID 864 wrote to memory of 1532	864	aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe	35
PID 1232 wrote to memory of 668	1232	backup.exe	36
PID 1232 wrote to memory of 668	1232	backup.exe	36
PID 1232 wrote to memory of 668	1232	backup.exe	36
PID 1232 wrote to memory of 668	1232	backup.exe	36
PID 568 wrote to memory of 608	568	backup.exe	37
PID 568 wrote to memory of 608	568	backup.exe	37
PID 568 wrote to memory of 608	568	backup.exe	37
PID 568 wrote to memory of 608	568	backup.exe	37
PID 608 wrote to memory of 1156	608	backup.exe	38
PID 608 wrote to memory of 1156	608	backup.exe	38
PID 608 wrote to memory of 1156	608	backup.exe	38
PID 608 wrote to memory of 1156	608	backup.exe	38
PID 1156 wrote to memory of 580	1156	backup.exe	39
PID 1156 wrote to memory of 580	1156	backup.exe	39
PID 1156 wrote to memory of 580	1156	backup.exe	39
PID 1156 wrote to memory of 580	1156	backup.exe	39
PID 608 wrote to memory of 472	608	backup.exe	40
PID 608 wrote to memory of 472	608	backup.exe	40
PID 608 wrote to memory of 472	608	backup.exe	40
PID 608 wrote to memory of 472	608	backup.exe	40
PID 472 wrote to memory of 1596	472	backup.exe	41
PID 472 wrote to memory of 1596	472	backup.exe	41
PID 472 wrote to memory of 1596	472	backup.exe	41
PID 472 wrote to memory of 1596	472	backup.exe	41
PID 1596 wrote to memory of 884	1596	backup.exe	42
PID 1596 wrote to memory of 884	1596	backup.exe	42
PID 1596 wrote to memory of 884	1596	backup.exe	42
PID 1596 wrote to memory of 884	1596	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe
"C:\Users\Admin\AppData\Local\Temp\aa844b9051dddd880baf7a1a164fffc6d70580b612820a4bffe1be4625922fbb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\2132745340\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2132745340\backup.exe C:\Users\Admin\AppData\Local\Temp\2132745340\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2044
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:668
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:608
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1156
      - C:\Program Files\7-Zip\Lang\System Restore.exe
        
        "C:\Program Files\7-Zip\Lang\System Restore.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:580
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:472
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2004
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1076
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Program Files\Common Files\System\ado\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:580
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1908
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1432
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1808
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Program Files\Common Files\System\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1452
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2024
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1464
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1320
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1092
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1448
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1120
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1096
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1552
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1348
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1656
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1984
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1100
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1232
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1456
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1076
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1708
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1592
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1864
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1620
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1828
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:364
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:768
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1652
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2040
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1808
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:836
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:700
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:280
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:884
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:472
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1344
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:1692
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        
        PID:320
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1908
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:996
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
85d8f5be41d9fe136df1c3b971114914

SHA1
d1e7006da832ced4c480383f1db38b48ba0adcb9

SHA256
da3b6014b4a97b5286f92bdb8dfd2f66e637302408f772eebe33b9cf20eb648a

SHA512
d71ed19f8f566d27dbf00b3d6b3011e5215fc463b32ea527e9d43f950b5ea57ae0da08af123b26ad61fcac168353c6d3f39dc3af2e42efaa775b8e9150f8586e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
d08a847f80dac7c3c79844917a2e6543

SHA1
6e5a8dbc0863017e0d4a85283383042b76a82835

SHA256
4c88494a3885aaa9fef926b1835210ea2d5dafc24c5149cda6f3c6cb7330d963

SHA512
1479dcfb8fc5fa33c81e86adcf95cc450b22b4bd14456c8688be93d680c66570ee5f699e0559c4d82290698a392fbc36b6d03ece9e91f7b422d9dbf8e72042a1

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
d08a847f80dac7c3c79844917a2e6543

SHA1
6e5a8dbc0863017e0d4a85283383042b76a82835

SHA256
4c88494a3885aaa9fef926b1835210ea2d5dafc24c5149cda6f3c6cb7330d963

SHA512
1479dcfb8fc5fa33c81e86adcf95cc450b22b4bd14456c8688be93d680c66570ee5f699e0559c4d82290698a392fbc36b6d03ece9e91f7b422d9dbf8e72042a1

Download Submit
C:\Program Files\7-Zip\Lang\System Restore.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b6f224ac0faf6f18359fb25f079e6216

SHA1
4d34102b40182212ecd13af10e7e0527d8886fd7

SHA256
e508703058b8321ed33a23024d7f9c8bcdfe6f5b932e0c8a3a6bbe37c1dc10f7

SHA512
5505799ad29baea5bbd7b9d62e0a5d1355fb372c7f691b014595ccfde0d648423497d79ec47f7f932a488901b4c91fe5ff7d31046b38c85e5fa385965db3bb07

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b6f224ac0faf6f18359fb25f079e6216

SHA1
4d34102b40182212ecd13af10e7e0527d8886fd7

SHA256
e508703058b8321ed33a23024d7f9c8bcdfe6f5b932e0c8a3a6bbe37c1dc10f7

SHA512
5505799ad29baea5bbd7b9d62e0a5d1355fb372c7f691b014595ccfde0d648423497d79ec47f7f932a488901b4c91fe5ff7d31046b38c85e5fa385965db3bb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\2132745340\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
C:\Users\Admin\AppData\Local\Temp\2132745340\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7747a104d1b25b41c285353c3f5ecf1f

SHA1
4e2e4287dfc9922c2bbb05e6c5046a1aee647d4f

SHA256
1bff55ac3334bca33eb7e029dbf47168dd18e3737a253bbc51ecb406670557b9

SHA512
ba69eabb4f297688fbd21dc271f7bbc3aa9a21602a2a1fce9f37963a354c573fdb81450be9d88aca51ed31cf704b97ff52e417ee9635fcf43cc3e681f097c8ca

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7747a104d1b25b41c285353c3f5ecf1f

SHA1
4e2e4287dfc9922c2bbb05e6c5046a1aee647d4f

SHA256
1bff55ac3334bca33eb7e029dbf47168dd18e3737a253bbc51ecb406670557b9

SHA512
ba69eabb4f297688fbd21dc271f7bbc3aa9a21602a2a1fce9f37963a354c573fdb81450be9d88aca51ed31cf704b97ff52e417ee9635fcf43cc3e681f097c8ca

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
85d8f5be41d9fe136df1c3b971114914

SHA1
d1e7006da832ced4c480383f1db38b48ba0adcb9

SHA256
da3b6014b4a97b5286f92bdb8dfd2f66e637302408f772eebe33b9cf20eb648a

SHA512
d71ed19f8f566d27dbf00b3d6b3011e5215fc463b32ea527e9d43f950b5ea57ae0da08af123b26ad61fcac168353c6d3f39dc3af2e42efaa775b8e9150f8586e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
85d8f5be41d9fe136df1c3b971114914

SHA1
d1e7006da832ced4c480383f1db38b48ba0adcb9

SHA256
da3b6014b4a97b5286f92bdb8dfd2f66e637302408f772eebe33b9cf20eb648a

SHA512
d71ed19f8f566d27dbf00b3d6b3011e5215fc463b32ea527e9d43f950b5ea57ae0da08af123b26ad61fcac168353c6d3f39dc3af2e42efaa775b8e9150f8586e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
d08a847f80dac7c3c79844917a2e6543

SHA1
6e5a8dbc0863017e0d4a85283383042b76a82835

SHA256
4c88494a3885aaa9fef926b1835210ea2d5dafc24c5149cda6f3c6cb7330d963

SHA512
1479dcfb8fc5fa33c81e86adcf95cc450b22b4bd14456c8688be93d680c66570ee5f699e0559c4d82290698a392fbc36b6d03ece9e91f7b422d9dbf8e72042a1

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
d08a847f80dac7c3c79844917a2e6543

SHA1
6e5a8dbc0863017e0d4a85283383042b76a82835

SHA256
4c88494a3885aaa9fef926b1835210ea2d5dafc24c5149cda6f3c6cb7330d963

SHA512
1479dcfb8fc5fa33c81e86adcf95cc450b22b4bd14456c8688be93d680c66570ee5f699e0559c4d82290698a392fbc36b6d03ece9e91f7b422d9dbf8e72042a1

Download Submit
\Program Files\7-Zip\Lang\System Restore.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
\Program Files\7-Zip\Lang\System Restore.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bb2c1b1ed7e4edf8e6b8dcea715d82ba

SHA1
36445e4165a8a14ad8f00d81c0af231d136c0625

SHA256
1d18259fe5309bdf46befaa2ae911e7fe6654add4af7351dd17cf4803ed416f1

SHA512
674c07e578b867507e88672521121a13f09fbb86feee1320f33ab65143d0e486227e22da9bdef05f670359698d3174caa430e711b7f47ef43be7f4765ea32dd9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
03fc56b788c9af7d33169da7a60ee129

SHA1
17b96def455d7516b6e73a44e39c0acac1caa708

SHA256
7d22e03f3ded54f305a30b03866bd7407bc62d5dde3ce9e94933944a2e22c202

SHA512
cd1152094bc7f547bfc298791fc1f28f2929b3e271b806ac4f38789c50df3a6fd9c41320402b653b0a7b61b7c0c41dbe7b795679ac8051f47bf2c76a4693a17e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
74f99b6f7ba8ed5771aa1f28c7c26313

SHA1
52570c47ad8397b3663ecd3b70bc042d4c4ff0a9

SHA256
cf6459b07086d3589a09ad85689c544445348e042ec1cdf51166c0584d7fb897

SHA512
89dde03d36d25d3483b9e9532c0648e850a7a0d1b35f614d6ea3bfc454532b1a021aa08372131e91ee8a302da3414a859779a4e5285f109f5c817318e1f4b553

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aea6a874b55566fd4d20d2c8b2b64b72

SHA1
6d541e54c36aa6068c71a66766bea44218211946

SHA256
7ae5d2f665458f12d99985794d8f09e124d345fd7a44c0571e48572759dac3e9

SHA512
c2bc2e32f0fc6e9eb11f083aea6dfb449f573806503075cadc862f9a516d9aa7e0c090bd76a5324c1ecceb823ddf32ac16a69697e83238db448e35a9a9bf21ed

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b6f224ac0faf6f18359fb25f079e6216

SHA1
4d34102b40182212ecd13af10e7e0527d8886fd7

SHA256
e508703058b8321ed33a23024d7f9c8bcdfe6f5b932e0c8a3a6bbe37c1dc10f7

SHA512
5505799ad29baea5bbd7b9d62e0a5d1355fb372c7f691b014595ccfde0d648423497d79ec47f7f932a488901b4c91fe5ff7d31046b38c85e5fa385965db3bb07

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b6f224ac0faf6f18359fb25f079e6216

SHA1
4d34102b40182212ecd13af10e7e0527d8886fd7

SHA256
e508703058b8321ed33a23024d7f9c8bcdfe6f5b932e0c8a3a6bbe37c1dc10f7

SHA512
5505799ad29baea5bbd7b9d62e0a5d1355fb372c7f691b014595ccfde0d648423497d79ec47f7f932a488901b4c91fe5ff7d31046b38c85e5fa385965db3bb07

Download Submit
\Users\Admin\AppData\Local\Temp\2132745340\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
\Users\Admin\AppData\Local\Temp\2132745340\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ae123eb297494c82d45e55736d888bba

SHA1
2e83115aafba8270df34a59a39975274cb9d3c44

SHA256
d0b5a2589a88dea3564bc0254a5264251c09ed2a4315edd0e663f4be11dc75f0

SHA512
644a09bb3bfd0b20fee1e1eb2fbae19b7b52ef29ccd78c3785f45c34c97cd4ea1d06e403eaadfc1c51328b01a0b67b2b297f18a7f0c08b0e7cc9377fb572b36d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
42a2d5266635d460aad053ca956fadb4

SHA1
28a87a4cacf40f855af4a20a155a0870227aef6d

SHA256
ae757b3461b53aa30a41f29f9dc162409cd3c6ffe1187645bea1146b30a08a2b

SHA512
da3ed057dca02a58dc82eda9d14fc8c14483667cf910142f62b63cb899a2e3e3f1573a240930f17216396d33a848930cefed3acef5d8ce189efcef808fb55558

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
59d6c947b4fcb71507838b3773dcc324

SHA1
5ff485e9f08848186718173f49c25cbd9a09fa26

SHA256
0b024dc7b333ce92623d7eece5e6b4476a7eadb31206cd13982f0bf464f80b43

SHA512
83722e6c9be36c7a2fb6fc837affd2fb03d3fb19d1f02ec78f1bbf857f6e8656e6c6bd7a4cef24daff9811eb7427e404e3d8e68d9389b510cc2899e6784b468b

Download Submit
memory/864-111-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-150-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads