bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be

Analysis

max time kernel
20s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Size

72KB
MD5

024c35416b90e3c9347244397b250331
SHA1

23ac21da102126e203aa1b9cb9c7f176e45dd783
SHA256

bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be
SHA512

ab9a20b4a37223296035fe81db42b002da437bca8bb40dc5d7ea4f42fcf9e41402e9cea14c9608fbe9b7eceb31724eab898e762414b36de080a4f96d43947c0d
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2z:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr/

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 60 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1300	backup.exe
568	backup.exe
668	update.exe
564	backup.exe
436	backup.exe
988	backup.exe
1836	backup.exe
912	backup.exe
1804	backup.exe
2028	backup.exe
1380	backup.exe
1644	backup.exe
1572	backup.exe
1180	backup.exe
772	backup.exe
628	backup.exe
1728	backup.exe
1612	backup.exe
1564	backup.exe
1748	backup.exe
1236	backup.exe
588	backup.exe
1444	backup.exe
1676	data.exe
524	backup.exe
556	backup.exe
1604	backup.exe
1536	backup.exe
764	backup.exe
984	backup.exe
1668	backup.exe
1532	backup.exe
1904	backup.exe
1664	backup.exe
1956	backup.exe
1984	backup.exe
1516	backup.exe
920	backup.exe
1660	backup.exe
1488	backup.exe
1032	backup.exe
1408	backup.exe
1312	backup.exe
1888	backup.exe
816	backup.exe
1588	backup.exe
1584	backup.exe
1344	backup.exe
1564	System Restore.exe
1824	backup.exe
684	backup.exe
588	backup.exe
1676	backup.exe
1028	update.exe
848	data.exe
1704	backup.exe
1536	backup.exe
1568	backup.exe
1920	System Restore.exe
1952	backup.exe
1216	backup.exe
1916	backup.exe
1816	backup.exe
1664	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
668	update.exe
668	update.exe
668	update.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
436	backup.exe
436	backup.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
1836	backup.exe
1836	backup.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
436	backup.exe
436	backup.exe
1380	backup.exe
1380	backup.exe
1644	backup.exe
1644	backup.exe
1380	backup.exe
1380	backup.exe
1180	backup.exe
1180	backup.exe
772	backup.exe
772	backup.exe
772	backup.exe
772	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
1728	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
1300	backup.exe
568	backup.exe
668	update.exe
564	backup.exe
436	backup.exe
988	backup.exe
1836	backup.exe
912	backup.exe
1804	backup.exe
2028	backup.exe
1380	backup.exe
1644	backup.exe
1572	backup.exe
1180	backup.exe
772	backup.exe
628	backup.exe
1728	backup.exe
1612	backup.exe
1564	backup.exe
1748	backup.exe
1236	backup.exe
588	backup.exe
1444	backup.exe
1676	data.exe
524	backup.exe
556	backup.exe
1604	backup.exe
1536	backup.exe
764	backup.exe
984	backup.exe
1668	backup.exe
1532	backup.exe
1904	backup.exe
1664	backup.exe
1956	backup.exe
1984	backup.exe
1516	backup.exe
920	backup.exe
1660	backup.exe
1488	backup.exe
1032	backup.exe
1408	backup.exe
1312	backup.exe
1888	backup.exe
816	backup.exe
1588	backup.exe
1564	System Restore.exe
1344	backup.exe
1824	backup.exe
1584	backup.exe
684	backup.exe
588	backup.exe
1676	backup.exe
1028	update.exe
848	data.exe
1704	backup.exe
1536	backup.exe
1568	backup.exe
1216	backup.exe
1920	System Restore.exe
1916	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1300	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	27
PID 992 wrote to memory of 1300	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	27
PID 992 wrote to memory of 1300	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	27
PID 992 wrote to memory of 1300	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	27
PID 992 wrote to memory of 568	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	28
PID 992 wrote to memory of 568	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	28
PID 992 wrote to memory of 568	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	28
PID 992 wrote to memory of 568	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	28
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 668	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	29
PID 992 wrote to memory of 564	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	30
PID 992 wrote to memory of 564	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	30
PID 992 wrote to memory of 564	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	30
PID 992 wrote to memory of 564	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	30
PID 1300 wrote to memory of 436	1300	backup.exe	31
PID 1300 wrote to memory of 436	1300	backup.exe	31
PID 1300 wrote to memory of 436	1300	backup.exe	31
PID 1300 wrote to memory of 436	1300	backup.exe	31
PID 992 wrote to memory of 988	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	32
PID 992 wrote to memory of 988	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	32
PID 992 wrote to memory of 988	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	32
PID 992 wrote to memory of 988	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	32
PID 436 wrote to memory of 1836	436	backup.exe	33
PID 436 wrote to memory of 1836	436	backup.exe	33
PID 436 wrote to memory of 1836	436	backup.exe	33
PID 436 wrote to memory of 1836	436	backup.exe	33
PID 992 wrote to memory of 912	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	34
PID 992 wrote to memory of 912	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	34
PID 992 wrote to memory of 912	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	34
PID 992 wrote to memory of 912	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	34
PID 1836 wrote to memory of 1804	1836	backup.exe	35
PID 1836 wrote to memory of 1804	1836	backup.exe	35
PID 1836 wrote to memory of 1804	1836	backup.exe	35
PID 1836 wrote to memory of 1804	1836	backup.exe	35
PID 992 wrote to memory of 2028	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	36
PID 992 wrote to memory of 2028	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	36
PID 992 wrote to memory of 2028	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	36
PID 992 wrote to memory of 2028	992	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe	36
PID 436 wrote to memory of 1380	436	backup.exe	37
PID 436 wrote to memory of 1380	436	backup.exe	37
PID 436 wrote to memory of 1380	436	backup.exe	37
PID 436 wrote to memory of 1380	436	backup.exe	37
PID 1380 wrote to memory of 1644	1380	backup.exe	38
PID 1380 wrote to memory of 1644	1380	backup.exe	38
PID 1380 wrote to memory of 1644	1380	backup.exe	38
PID 1380 wrote to memory of 1644	1380	backup.exe	38
PID 1644 wrote to memory of 1572	1644	backup.exe	39
PID 1644 wrote to memory of 1572	1644	backup.exe	39
PID 1644 wrote to memory of 1572	1644	backup.exe	39
PID 1644 wrote to memory of 1572	1644	backup.exe	39
PID 1380 wrote to memory of 1180	1380	backup.exe	40
PID 1380 wrote to memory of 1180	1380	backup.exe	40
PID 1380 wrote to memory of 1180	1380	backup.exe	40
PID 1380 wrote to memory of 1180	1380	backup.exe	40
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 772 wrote to memory of 628	772	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe
"C:\Users\Admin\AppData\Local\Temp\bc722eb724004fdeef3bfcb405ef89adbb24257f451bf8c611a2bb1984a242be.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:992
- C:\Users\Admin\AppData\Local\Temp\1905044341\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1905044341\backup.exe C:\Users\Admin\AppData\Local\Temp\1905044341\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1300
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:436
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1836
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1380
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1644
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1572
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:2220
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:456
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2096
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1888
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1032
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
      - C:\Program Files\DVD Maker\es-ES\data.exe
        
        "C:\Program Files\DVD Maker\es-ES\data.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1028
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1568
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1816
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:876
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:276
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1836
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:2012
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:688
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:108
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1140
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2144
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:304
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1468
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1480
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1012
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1696
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1212
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:344
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2184
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:1560
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:864
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1828
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:584
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1760
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1052
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2156
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1660
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1312
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1108
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1716
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1584
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:928
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2000
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2212
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1528
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Executes dropped EXE
        
        PID:1664
      - C:\Program Files (x86)\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\System Restore.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2072
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2164
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1056
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1200
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        Executes dropped EXE
        
        PID:1816
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1752
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2112
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2228
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1940
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1720
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1236
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1608
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1076
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2080
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2192
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:564
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:988
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:912
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
99d9b8a0bd710a67f3718f21233d6169

SHA1
526bbd8fd9b4545b9ee7457c3fa830a5d2e2c1d4

SHA256
53dc2f50b0e03158f8847ff53e65fbd5b4dae40c060082ce86c3ed14ee5b0ade

SHA512
c6ad25a2f858b6d69f7e37e2ba6034ac41b280d8301111ed47b7e91572167bb9c44983ef55e52094b42d9fa92dbb539e354564c5b9fec1711d211761b6454005

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
80316b27b8e4a3394c73c97f2c567824

SHA1
d8aa3bd69478b3bd2b71da9dfd2ad1a20e8cdb88

SHA256
9c1e2241783527f1d7983543fe7ca048d1c5153a28bd37fc5135873c7bd1db7a

SHA512
62f8666a267cd3b8671ffdb5926ad4f133e7bc4cd9cfc05c3b002a05f6b14546decf5d7d7925850a47686b1cb7eb2eaad57b00ab40eb886774ede6f46b86772f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
80316b27b8e4a3394c73c97f2c567824

SHA1
d8aa3bd69478b3bd2b71da9dfd2ad1a20e8cdb88

SHA256
9c1e2241783527f1d7983543fe7ca048d1c5153a28bd37fc5135873c7bd1db7a

SHA512
62f8666a267cd3b8671ffdb5926ad4f133e7bc4cd9cfc05c3b002a05f6b14546decf5d7d7925850a47686b1cb7eb2eaad57b00ab40eb886774ede6f46b86772f

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7aa3ab6ce98174ac185632ad895b4936

SHA1
11096bb5211dfba830ea8cfb6e462be2d56bf06b

SHA256
07bf3a0d36a697546f47fc54a6593e7174ff3a91452fe452a7cddb984626a19b

SHA512
6eb33801b32aaadfad43d86d808a32cfac58a2fd0bea2ea8034bf2cc2e7aa9e0540f983d6afc6bcc0ff52368ec6d70d9e6a3da9e117ea1f12648572362678e38

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6de3192cc953edd1b6ebc74d22cf604

SHA1
e30a01c7a439fc8e13a2d72422ae491b97412bdc

SHA256
78c63e71ae7c1ef2819a8350cbd9ed4464f2cf0e1dfe265a283d09a0044c0eb0

SHA512
3f5085a8a8d1e9fdffe64e82edf50c751aecbaa9c23fa47a6046ad2997d02b7af33133f26d8e5a33bd0c04b9f63d6c53d53331d8f6c947b38e8797cb7094fc22

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6de3192cc953edd1b6ebc74d22cf604

SHA1
e30a01c7a439fc8e13a2d72422ae491b97412bdc

SHA256
78c63e71ae7c1ef2819a8350cbd9ed4464f2cf0e1dfe265a283d09a0044c0eb0

SHA512
3f5085a8a8d1e9fdffe64e82edf50c751aecbaa9c23fa47a6046ad2997d02b7af33133f26d8e5a33bd0c04b9f63d6c53d53331d8f6c947b38e8797cb7094fc22

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
baf1d05a78a64ae44c709560a29e2203

SHA1
33edbfd9b2c80f1af65189e4c75a534e603f0043

SHA256
aa0acbeaaa618f1b387feae4746b46b9c1aa049f42e841da6765caad2d4a71bd

SHA512
62729ce2ceed303bf30eefc24f3adea53ee6a01bf392f45823990f53555862c1c055b32c25c1c6da83e3bff127010866e393eea1798dfcb16def7aa2ae3e3693

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17cb716fadac1d4b23feb2d9308bde6e

SHA1
e99c566a88edbb7c214be5a434e42f180c2e82ab

SHA256
3fcd2e6a8753d2f59471f07d0d4cc27b22f27d8215cfbaf4ee621ed1ca0310d3

SHA512
ff4edafbf034404c460fb03e266e0db6621a667baba9a281dbf6360bfac09148382aa5c9bcf3e6220f2745f3624d13a392138909ef077ffb016bda3ed595a020

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17cb716fadac1d4b23feb2d9308bde6e

SHA1
e99c566a88edbb7c214be5a434e42f180c2e82ab

SHA256
3fcd2e6a8753d2f59471f07d0d4cc27b22f27d8215cfbaf4ee621ed1ca0310d3

SHA512
ff4edafbf034404c460fb03e266e0db6621a667baba9a281dbf6360bfac09148382aa5c9bcf3e6220f2745f3624d13a392138909ef077ffb016bda3ed595a020

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
38424a355dfb5820615dfa4163ce4e86

SHA1
e02e0918b9f3518e21150f8f5613acacb89d236e

SHA256
8560903929162ec39d66f4a045a5935c3381bc2f7359dc9e433efaa21193a2a2

SHA512
3bcb90b5af08ff88089cf00e26187981bab4b7013f01a9ff359073b121dc1fc99b51ae7b4a0e1fb4739bb245fbdf0fed4050203ea58712656d7fb1a4079a4566

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a681733607333d526c98a2c678a0291e

SHA1
4462db08721bbf7ec874c0934df54959fc6b8945

SHA256
26586fa5ff7ee08f4ba9348f0fe5f2a8edb1cac77b7579cf8a09d77903e02bf7

SHA512
38ba581ac3068c8c927eb1a51e088207b08bee433cc3335616f88b40481717a0d3c0ebf49a6c450f1bdbfe4eb5a2ccef224d4ae59e0a164f72203e848e10d31e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a681733607333d526c98a2c678a0291e

SHA1
4462db08721bbf7ec874c0934df54959fc6b8945

SHA256
26586fa5ff7ee08f4ba9348f0fe5f2a8edb1cac77b7579cf8a09d77903e02bf7

SHA512
38ba581ac3068c8c927eb1a51e088207b08bee433cc3335616f88b40481717a0d3c0ebf49a6c450f1bdbfe4eb5a2ccef224d4ae59e0a164f72203e848e10d31e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
84442ee33e154c2969a5682f699054bc

SHA1
b75b4b5a0a70b54fcd4e1d8cddf1e6103c0c3980

SHA256
5d579eb66641e82bca1dc612d22cb4452c240cbe26bb011f1a5b93de47926cc1

SHA512
5e3d3adbdd50c3f61e58f87f21ca8ccbd0a29e3a9ef9dbf667bc266a6188dc460c7ae5be60acbcd224a125ec7e3a0cd5a053e88125fbb710cafc89a74b073f97

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
84442ee33e154c2969a5682f699054bc

SHA1
b75b4b5a0a70b54fcd4e1d8cddf1e6103c0c3980

SHA256
5d579eb66641e82bca1dc612d22cb4452c240cbe26bb011f1a5b93de47926cc1

SHA512
5e3d3adbdd50c3f61e58f87f21ca8ccbd0a29e3a9ef9dbf667bc266a6188dc460c7ae5be60acbcd224a125ec7e3a0cd5a053e88125fbb710cafc89a74b073f97

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
96158362a7206fd246417bc50391fa97

SHA1
9a7918955242b862b639bd63306284249261e37f

SHA256
c1ab0ec399522a231e691ff50c1a30963178f33261f4da9eca6049a3b031b5d3

SHA512
ba6da4e329f3ecb85262f1f3ae19b02742250a311d9f3d80ba6159e10645654bcc2e3e98726b063bbe6eabb5698cdecd407af6b94d907453ebf239f6a31178d4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
96158362a7206fd246417bc50391fa97

SHA1
9a7918955242b862b639bd63306284249261e37f

SHA256
c1ab0ec399522a231e691ff50c1a30963178f33261f4da9eca6049a3b031b5d3

SHA512
ba6da4e329f3ecb85262f1f3ae19b02742250a311d9f3d80ba6159e10645654bcc2e3e98726b063bbe6eabb5698cdecd407af6b94d907453ebf239f6a31178d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1905044341\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1905044341\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4f34e94328254a31df9fc53fd343592b

SHA1
e800472d36be87d65680691371cdb5bbd53adf14

SHA256
6f8aaa6c36002d2fde6ea46c9605fd04576831249b2027e5d6988803f3fac235

SHA512
85cbbb82bd3e94a2c730ba7ae29246c831d003a5844c620303dc0a98c20121d40c910a0f86f5098e4c37fff6cc2a5b26c28a0eb659675d6c3868abb9aae7354a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4f34e94328254a31df9fc53fd343592b

SHA1
e800472d36be87d65680691371cdb5bbd53adf14

SHA256
6f8aaa6c36002d2fde6ea46c9605fd04576831249b2027e5d6988803f3fac235

SHA512
85cbbb82bd3e94a2c730ba7ae29246c831d003a5844c620303dc0a98c20121d40c910a0f86f5098e4c37fff6cc2a5b26c28a0eb659675d6c3868abb9aae7354a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
99d9b8a0bd710a67f3718f21233d6169

SHA1
526bbd8fd9b4545b9ee7457c3fa830a5d2e2c1d4

SHA256
53dc2f50b0e03158f8847ff53e65fbd5b4dae40c060082ce86c3ed14ee5b0ade

SHA512
c6ad25a2f858b6d69f7e37e2ba6034ac41b280d8301111ed47b7e91572167bb9c44983ef55e52094b42d9fa92dbb539e354564c5b9fec1711d211761b6454005

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
99d9b8a0bd710a67f3718f21233d6169

SHA1
526bbd8fd9b4545b9ee7457c3fa830a5d2e2c1d4

SHA256
53dc2f50b0e03158f8847ff53e65fbd5b4dae40c060082ce86c3ed14ee5b0ade

SHA512
c6ad25a2f858b6d69f7e37e2ba6034ac41b280d8301111ed47b7e91572167bb9c44983ef55e52094b42d9fa92dbb539e354564c5b9fec1711d211761b6454005

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
80316b27b8e4a3394c73c97f2c567824

SHA1
d8aa3bd69478b3bd2b71da9dfd2ad1a20e8cdb88

SHA256
9c1e2241783527f1d7983543fe7ca048d1c5153a28bd37fc5135873c7bd1db7a

SHA512
62f8666a267cd3b8671ffdb5926ad4f133e7bc4cd9cfc05c3b002a05f6b14546decf5d7d7925850a47686b1cb7eb2eaad57b00ab40eb886774ede6f46b86772f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
80316b27b8e4a3394c73c97f2c567824

SHA1
d8aa3bd69478b3bd2b71da9dfd2ad1a20e8cdb88

SHA256
9c1e2241783527f1d7983543fe7ca048d1c5153a28bd37fc5135873c7bd1db7a

SHA512
62f8666a267cd3b8671ffdb5926ad4f133e7bc4cd9cfc05c3b002a05f6b14546decf5d7d7925850a47686b1cb7eb2eaad57b00ab40eb886774ede6f46b86772f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7aa3ab6ce98174ac185632ad895b4936

SHA1
11096bb5211dfba830ea8cfb6e462be2d56bf06b

SHA256
07bf3a0d36a697546f47fc54a6593e7174ff3a91452fe452a7cddb984626a19b

SHA512
6eb33801b32aaadfad43d86d808a32cfac58a2fd0bea2ea8034bf2cc2e7aa9e0540f983d6afc6bcc0ff52368ec6d70d9e6a3da9e117ea1f12648572362678e38

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7aa3ab6ce98174ac185632ad895b4936

SHA1
11096bb5211dfba830ea8cfb6e462be2d56bf06b

SHA256
07bf3a0d36a697546f47fc54a6593e7174ff3a91452fe452a7cddb984626a19b

SHA512
6eb33801b32aaadfad43d86d808a32cfac58a2fd0bea2ea8034bf2cc2e7aa9e0540f983d6afc6bcc0ff52368ec6d70d9e6a3da9e117ea1f12648572362678e38

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6de3192cc953edd1b6ebc74d22cf604

SHA1
e30a01c7a439fc8e13a2d72422ae491b97412bdc

SHA256
78c63e71ae7c1ef2819a8350cbd9ed4464f2cf0e1dfe265a283d09a0044c0eb0

SHA512
3f5085a8a8d1e9fdffe64e82edf50c751aecbaa9c23fa47a6046ad2997d02b7af33133f26d8e5a33bd0c04b9f63d6c53d53331d8f6c947b38e8797cb7094fc22

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6de3192cc953edd1b6ebc74d22cf604

SHA1
e30a01c7a439fc8e13a2d72422ae491b97412bdc

SHA256
78c63e71ae7c1ef2819a8350cbd9ed4464f2cf0e1dfe265a283d09a0044c0eb0

SHA512
3f5085a8a8d1e9fdffe64e82edf50c751aecbaa9c23fa47a6046ad2997d02b7af33133f26d8e5a33bd0c04b9f63d6c53d53331d8f6c947b38e8797cb7094fc22

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
baf1d05a78a64ae44c709560a29e2203

SHA1
33edbfd9b2c80f1af65189e4c75a534e603f0043

SHA256
aa0acbeaaa618f1b387feae4746b46b9c1aa049f42e841da6765caad2d4a71bd

SHA512
62729ce2ceed303bf30eefc24f3adea53ee6a01bf392f45823990f53555862c1c055b32c25c1c6da83e3bff127010866e393eea1798dfcb16def7aa2ae3e3693

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
baf1d05a78a64ae44c709560a29e2203

SHA1
33edbfd9b2c80f1af65189e4c75a534e603f0043

SHA256
aa0acbeaaa618f1b387feae4746b46b9c1aa049f42e841da6765caad2d4a71bd

SHA512
62729ce2ceed303bf30eefc24f3adea53ee6a01bf392f45823990f53555862c1c055b32c25c1c6da83e3bff127010866e393eea1798dfcb16def7aa2ae3e3693

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17cb716fadac1d4b23feb2d9308bde6e

SHA1
e99c566a88edbb7c214be5a434e42f180c2e82ab

SHA256
3fcd2e6a8753d2f59471f07d0d4cc27b22f27d8215cfbaf4ee621ed1ca0310d3

SHA512
ff4edafbf034404c460fb03e266e0db6621a667baba9a281dbf6360bfac09148382aa5c9bcf3e6220f2745f3624d13a392138909ef077ffb016bda3ed595a020

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17cb716fadac1d4b23feb2d9308bde6e

SHA1
e99c566a88edbb7c214be5a434e42f180c2e82ab

SHA256
3fcd2e6a8753d2f59471f07d0d4cc27b22f27d8215cfbaf4ee621ed1ca0310d3

SHA512
ff4edafbf034404c460fb03e266e0db6621a667baba9a281dbf6360bfac09148382aa5c9bcf3e6220f2745f3624d13a392138909ef077ffb016bda3ed595a020

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
38424a355dfb5820615dfa4163ce4e86

SHA1
e02e0918b9f3518e21150f8f5613acacb89d236e

SHA256
8560903929162ec39d66f4a045a5935c3381bc2f7359dc9e433efaa21193a2a2

SHA512
3bcb90b5af08ff88089cf00e26187981bab4b7013f01a9ff359073b121dc1fc99b51ae7b4a0e1fb4739bb245fbdf0fed4050203ea58712656d7fb1a4079a4566

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
38424a355dfb5820615dfa4163ce4e86

SHA1
e02e0918b9f3518e21150f8f5613acacb89d236e

SHA256
8560903929162ec39d66f4a045a5935c3381bc2f7359dc9e433efaa21193a2a2

SHA512
3bcb90b5af08ff88089cf00e26187981bab4b7013f01a9ff359073b121dc1fc99b51ae7b4a0e1fb4739bb245fbdf0fed4050203ea58712656d7fb1a4079a4566

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a681733607333d526c98a2c678a0291e

SHA1
4462db08721bbf7ec874c0934df54959fc6b8945

SHA256
26586fa5ff7ee08f4ba9348f0fe5f2a8edb1cac77b7579cf8a09d77903e02bf7

SHA512
38ba581ac3068c8c927eb1a51e088207b08bee433cc3335616f88b40481717a0d3c0ebf49a6c450f1bdbfe4eb5a2ccef224d4ae59e0a164f72203e848e10d31e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a681733607333d526c98a2c678a0291e

SHA1
4462db08721bbf7ec874c0934df54959fc6b8945

SHA256
26586fa5ff7ee08f4ba9348f0fe5f2a8edb1cac77b7579cf8a09d77903e02bf7

SHA512
38ba581ac3068c8c927eb1a51e088207b08bee433cc3335616f88b40481717a0d3c0ebf49a6c450f1bdbfe4eb5a2ccef224d4ae59e0a164f72203e848e10d31e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
38424a355dfb5820615dfa4163ce4e86

SHA1
e02e0918b9f3518e21150f8f5613acacb89d236e

SHA256
8560903929162ec39d66f4a045a5935c3381bc2f7359dc9e433efaa21193a2a2

SHA512
3bcb90b5af08ff88089cf00e26187981bab4b7013f01a9ff359073b121dc1fc99b51ae7b4a0e1fb4739bb245fbdf0fed4050203ea58712656d7fb1a4079a4566

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
84442ee33e154c2969a5682f699054bc

SHA1
b75b4b5a0a70b54fcd4e1d8cddf1e6103c0c3980

SHA256
5d579eb66641e82bca1dc612d22cb4452c240cbe26bb011f1a5b93de47926cc1

SHA512
5e3d3adbdd50c3f61e58f87f21ca8ccbd0a29e3a9ef9dbf667bc266a6188dc460c7ae5be60acbcd224a125ec7e3a0cd5a053e88125fbb710cafc89a74b073f97

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
84442ee33e154c2969a5682f699054bc

SHA1
b75b4b5a0a70b54fcd4e1d8cddf1e6103c0c3980

SHA256
5d579eb66641e82bca1dc612d22cb4452c240cbe26bb011f1a5b93de47926cc1

SHA512
5e3d3adbdd50c3f61e58f87f21ca8ccbd0a29e3a9ef9dbf667bc266a6188dc460c7ae5be60acbcd224a125ec7e3a0cd5a053e88125fbb710cafc89a74b073f97

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
96158362a7206fd246417bc50391fa97

SHA1
9a7918955242b862b639bd63306284249261e37f

SHA256
c1ab0ec399522a231e691ff50c1a30963178f33261f4da9eca6049a3b031b5d3

SHA512
ba6da4e329f3ecb85262f1f3ae19b02742250a311d9f3d80ba6159e10645654bcc2e3e98726b063bbe6eabb5698cdecd407af6b94d907453ebf239f6a31178d4

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
96158362a7206fd246417bc50391fa97

SHA1
9a7918955242b862b639bd63306284249261e37f

SHA256
c1ab0ec399522a231e691ff50c1a30963178f33261f4da9eca6049a3b031b5d3

SHA512
ba6da4e329f3ecb85262f1f3ae19b02742250a311d9f3d80ba6159e10645654bcc2e3e98726b063bbe6eabb5698cdecd407af6b94d907453ebf239f6a31178d4

Download Submit
\Users\Admin\AppData\Local\Temp\1905044341\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\1905044341\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7cac2ca404d8c6a2aaf0ea1fa7eb990b

SHA1
aa487b2dafa2477623e39a2a50a75e0992e71289

SHA256
fd9bdba046864857f717294c4c6d52c8607c5714bf2fa557c1bf19ec3ed69408

SHA512
097e186d6a016b827e049d6b558a6a75fa685bfac0b7344331273da09354870aead44855ea7ee364ba0f461074db6ea0569508c84e862faeafb0658fb5f9c322

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1bbf04d5d5531cdee30855e49b21b0e5

SHA1
90d054404d75f268b2a4befa7ee363d7253014ed

SHA256
b2a052a1933e02d012d434fbb4a4d76213ff545c7b42dceafc3535d1cf7cbd88

SHA512
1e2da9194f2edda23892e8e1af4e4153796a28b7211e3ef70746911c7c9deb29d1b6a8ac6abe712f6850f41fea896dcd859434fac38b39ca9e8c1e4602f958d8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8d20ec99bd6c5f428f8fe58011fa3b53

SHA1
9b8945c6e8396fe5ca8fbebdf526e90b3555e976

SHA256
848cfccda179a32842825aa3daac16219dd87cbc64751a2e32cfe2b0f5aef0e3

SHA512
ed6c8bd2a1ff94822671667230bbb3a7ddb496c52a2addfa32a448eccff6075474b11f650ec1a365ced93175dc39db768fab3ae49c5983a6a9252e4669b7dfd1

Download Submit
memory/668-72-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/992-182-0x0000000074611000-0x0000000074613000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads