542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
Size

72KB
MD5

0cd80e7db3a774592c4e31da708c072e
SHA1

4f4cd6480c2e96496dbba401cdb400b255899ad1
SHA256

542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540
SHA512

6ea57b3562517aded33990a152469e94dd865b7885cfed0c6ebf3712bb87acf99813389636fb57aa7600e5a8eced292c4bd2ba1e77ddc37b0811d6f96fca2d48
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2f:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrT

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1728	backup.exe
1592	backup.exe
1492	backup.exe
1348	backup.exe
1632	backup.exe
468	data.exe
1860	backup.exe
584	backup.exe
896	backup.exe
1224	backup.exe
1252	backup.exe
392	backup.exe
296	backup.exe
1384	backup.exe
764	backup.exe
1076	backup.exe
960	backup.exe
788	backup.exe
1608	backup.exe
1548	backup.exe
268	backup.exe
1280	backup.exe
360	backup.exe
1676	backup.exe
1388	backup.exe
1700	backup.exe
1112	backup.exe
1520	backup.exe
1504	backup.exe
296	backup.exe
892	backup.exe
1616	backup.exe
1688	backup.exe
1300	backup.exe
1356	backup.exe
1268	backup.exe
560	backup.exe
520	backup.exe
1916	data.exe
648	System Restore.exe
324	backup.exe
1608	backup.exe
268	backup.exe
1840	backup.exe
1132	backup.exe
788	update.exe
304	backup.exe
1576	backup.exe
1516	backup.exe
876	backup.exe
1012	backup.exe
1868	backup.exe
1112	backup.exe
1592	backup.exe
2024	backup.exe
1208	backup.exe
1816	backup.exe
980	backup.exe
300	update.exe
1860	backup.exe
648	backup.exe
276	backup.exe
1584	update.exe
928	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
584	backup.exe
584	backup.exe
896	backup.exe
896	backup.exe
584	backup.exe
584	backup.exe
1252	backup.exe
1252	backup.exe
392	backup.exe
392	backup.exe
1252	backup.exe
1252	backup.exe
1384	backup.exe
1384	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
764	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
752	backup.exe
584	backup.exe
584	backup.exe
752	backup.exe
1384	backup.exe
1384	backup.exe
764	backup.exe
764	backup.exe
1252	backup.exe
1252	backup.exe
1504	backup.exe
1520	backup.exe
1504	backup.exe
1520	backup.exe
1384	backup.exe
1384	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	data.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\update.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
1728	backup.exe
1592	backup.exe
1492	backup.exe
1348	backup.exe
1632	backup.exe
468	data.exe
1860	backup.exe
584	backup.exe
896	backup.exe
1224	backup.exe
1252	backup.exe
392	backup.exe
296	backup.exe
1384	backup.exe
764	backup.exe
1076	backup.exe
1536	backup.exe
1468	backup.exe
1208	backup.exe
1380	backup.exe
1816	backup.exe
1268	backup.exe
1348	backup.exe
820	backup.exe
1632	backup.exe
1164	backup.exe
468	backup.exe
752	backup.exe
788	backup.exe
1608	backup.exe
1548	backup.exe
268	backup.exe
1280	backup.exe
360	backup.exe
1676	backup.exe
1388	backup.exe
1700	backup.exe
1072	backup.exe
1504	backup.exe
1112	backup.exe
296	backup.exe
1520	backup.exe
892	backup.exe
1524	backup.exe
1616	backup.exe
1688	backup.exe
1300	backup.exe
1356	backup.exe
1268	backup.exe
820	backup.exe
560	backup.exe
520	backup.exe
1916	data.exe
648	System Restore.exe
2016	backup.exe
1608	backup.exe
324	backup.exe
1132	backup.exe
1840	backup.exe
1308	backup.exe
268	backup.exe
304	backup.exe
1576	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1728	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	28
PID 1980 wrote to memory of 1728	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	28
PID 1980 wrote to memory of 1728	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	28
PID 1980 wrote to memory of 1728	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	28
PID 1980 wrote to memory of 1592	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	29
PID 1980 wrote to memory of 1592	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	29
PID 1980 wrote to memory of 1592	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	29
PID 1980 wrote to memory of 1592	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	29
PID 1980 wrote to memory of 1492	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	30
PID 1980 wrote to memory of 1492	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	30
PID 1980 wrote to memory of 1492	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	30
PID 1980 wrote to memory of 1492	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	30
PID 1980 wrote to memory of 1348	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	31
PID 1980 wrote to memory of 1348	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	31
PID 1980 wrote to memory of 1348	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	31
PID 1980 wrote to memory of 1348	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	31
PID 1980 wrote to memory of 1632	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	32
PID 1980 wrote to memory of 1632	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	32
PID 1980 wrote to memory of 1632	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	32
PID 1980 wrote to memory of 1632	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	32
PID 1980 wrote to memory of 468	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	33
PID 1980 wrote to memory of 468	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	33
PID 1980 wrote to memory of 468	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	33
PID 1980 wrote to memory of 468	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	33
PID 1980 wrote to memory of 1860	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	34
PID 1980 wrote to memory of 1860	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	34
PID 1980 wrote to memory of 1860	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	34
PID 1980 wrote to memory of 1860	1980	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe	34
PID 1728 wrote to memory of 584	1728	backup.exe	35
PID 1728 wrote to memory of 584	1728	backup.exe	35
PID 1728 wrote to memory of 584	1728	backup.exe	35
PID 1728 wrote to memory of 584	1728	backup.exe	35
PID 584 wrote to memory of 896	584	backup.exe	36
PID 584 wrote to memory of 896	584	backup.exe	36
PID 584 wrote to memory of 896	584	backup.exe	36
PID 584 wrote to memory of 896	584	backup.exe	36
PID 896 wrote to memory of 1224	896	backup.exe	37
PID 896 wrote to memory of 1224	896	backup.exe	37
PID 896 wrote to memory of 1224	896	backup.exe	37
PID 896 wrote to memory of 1224	896	backup.exe	37
PID 584 wrote to memory of 1252	584	backup.exe	38
PID 584 wrote to memory of 1252	584	backup.exe	38
PID 584 wrote to memory of 1252	584	backup.exe	38
PID 584 wrote to memory of 1252	584	backup.exe	38
PID 1252 wrote to memory of 392	1252	backup.exe	39
PID 1252 wrote to memory of 392	1252	backup.exe	39
PID 1252 wrote to memory of 392	1252	backup.exe	39
PID 1252 wrote to memory of 392	1252	backup.exe	39
PID 392 wrote to memory of 296	392	backup.exe	40
PID 392 wrote to memory of 296	392	backup.exe	40
PID 392 wrote to memory of 296	392	backup.exe	40
PID 392 wrote to memory of 296	392	backup.exe	40
PID 1252 wrote to memory of 1384	1252	backup.exe	41
PID 1252 wrote to memory of 1384	1252	backup.exe	41
PID 1252 wrote to memory of 1384	1252	backup.exe	41
PID 1252 wrote to memory of 1384	1252	backup.exe	41
PID 1384 wrote to memory of 764	1384	backup.exe	42
PID 1384 wrote to memory of 764	1384	backup.exe	42
PID 1384 wrote to memory of 764	1384	backup.exe	42
PID 1384 wrote to memory of 764	1384	backup.exe	42
PID 764 wrote to memory of 1076	764	backup.exe	43
PID 764 wrote to memory of 1076	764	backup.exe	43
PID 764 wrote to memory of 1076	764	backup.exe	43
PID 764 wrote to memory of 1076	764	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe
"C:\Users\Admin\AppData\Local\Temp\542597edfeadb965a547d8b2a879f50500ae63e7fb355f3651018f5e821af540.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980
- C:\Users\Admin\AppData\Local\Temp\1886718478\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1886718478\backup.exe C:\Users\Admin\AppData\Local\Temp\1886718478\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1728
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:296
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:980
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1516
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1112
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:648
        
        C:\Program Files\Common Files\System\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\de-DE\update.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1308
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1604
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1324
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1356
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:648
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1576
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:2024
      - C:\Program Files\DVD Maker\Shared\update.exe
        
        "C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:952
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1204
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1544
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1428
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1840
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1312
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1696
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1992
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1600
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1744
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1504
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:1592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1208
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Executes dropped EXE
        
        PID:276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:324
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1008
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:784
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:560
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:940
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1520
      - C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1688
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:672
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        System policy modification
        
        PID:936
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:960
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1580
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1816
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1032
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1020
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1112
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1268
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:324
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:604
      - C:\Users\Admin\Downloads\System Restore.exe
        
        "C:\Users\Admin\Downloads\System Restore.exe" C:\Users\Admin\Downloads\
        6⤵
        
        PID:316
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1308
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1700
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:820
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1072
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a3822bd0bd5133c36aae6bb01a21f37d

SHA1
1660c0070f1fb35804d4a7c7753419ae002f7ed0

SHA256
41afdb8515157e6663e10dcf6fecfeb9c30136119d3e1ce31f33c9df2d6e990c

SHA512
5ef201570b11d4045bd8b975d872b7ea52e1da418d962679b89eb6b923d041e46cb34976771c3a853cb9602ab09f11fd4d1892226f07732bec19491e247e06cf

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
d01e5936ea7660331567b6cdd2e0406d

SHA1
bc3ab408dc0be548eddae70406d52e4e8d09a222

SHA256
b819854c22bbc4c7f66a158cbfdcbbb1c53a3f0ad768d50e9026eb7591e9def0

SHA512
359b872d90509f27143674a0444675e496192771e1ffd9f50db539eba5ee28e8634d156131b86e9c5dd4d9f5513091d7664535730e4875254e6711ea311f935b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
d01e5936ea7660331567b6cdd2e0406d

SHA1
bc3ab408dc0be548eddae70406d52e4e8d09a222

SHA256
b819854c22bbc4c7f66a158cbfdcbbb1c53a3f0ad768d50e9026eb7591e9def0

SHA512
359b872d90509f27143674a0444675e496192771e1ffd9f50db539eba5ee28e8634d156131b86e9c5dd4d9f5513091d7664535730e4875254e6711ea311f935b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7dba7a431a526699a4dcf10c5a3bec06

SHA1
85c9921a8372ff59e538523830eda6a57a6e31ff

SHA256
bd618b0788fbbc5d5cbd8ff8079b51577dcab4c999475284a5da3f30689e8192

SHA512
75f98b9a8b135162e159d7846b1d19f322f5c7a26efa9405872733203f8a9a6cd95a0f685066f2d3cdfcaf6b264409164c3eaa4a119efaf408991de6cad91767

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7dba7a431a526699a4dcf10c5a3bec06

SHA1
85c9921a8372ff59e538523830eda6a57a6e31ff

SHA256
bd618b0788fbbc5d5cbd8ff8079b51577dcab4c999475284a5da3f30689e8192

SHA512
75f98b9a8b135162e159d7846b1d19f322f5c7a26efa9405872733203f8a9a6cd95a0f685066f2d3cdfcaf6b264409164c3eaa4a119efaf408991de6cad91767

Download Submit
C:\Users\Admin\AppData\Local\Temp\1886718478\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
C:\Users\Admin\AppData\Local\Temp\1886718478\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a005d01e6fd8a68d9683bf22b6075b28

SHA1
aaa6d42a4ef339e78e780e2017868661e2ad004c

SHA256
f439db5b7616d6b32a04fe6aa28dfa4732db180090cb8e95dd2fa8b8868ba25a

SHA512
551211c6b5ae6b196427d03fee5cb9e01643c6e25972c336dc652fec2f14c079351592cfe9010266c083d0ff8440f8b267135dd2ff68d0ad0e075648f99f6734

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a005d01e6fd8a68d9683bf22b6075b28

SHA1
aaa6d42a4ef339e78e780e2017868661e2ad004c

SHA256
f439db5b7616d6b32a04fe6aa28dfa4732db180090cb8e95dd2fa8b8868ba25a

SHA512
551211c6b5ae6b196427d03fee5cb9e01643c6e25972c336dc652fec2f14c079351592cfe9010266c083d0ff8440f8b267135dd2ff68d0ad0e075648f99f6734

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a3822bd0bd5133c36aae6bb01a21f37d

SHA1
1660c0070f1fb35804d4a7c7753419ae002f7ed0

SHA256
41afdb8515157e6663e10dcf6fecfeb9c30136119d3e1ce31f33c9df2d6e990c

SHA512
5ef201570b11d4045bd8b975d872b7ea52e1da418d962679b89eb6b923d041e46cb34976771c3a853cb9602ab09f11fd4d1892226f07732bec19491e247e06cf

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a3822bd0bd5133c36aae6bb01a21f37d

SHA1
1660c0070f1fb35804d4a7c7753419ae002f7ed0

SHA256
41afdb8515157e6663e10dcf6fecfeb9c30136119d3e1ce31f33c9df2d6e990c

SHA512
5ef201570b11d4045bd8b975d872b7ea52e1da418d962679b89eb6b923d041e46cb34976771c3a853cb9602ab09f11fd4d1892226f07732bec19491e247e06cf

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
d01e5936ea7660331567b6cdd2e0406d

SHA1
bc3ab408dc0be548eddae70406d52e4e8d09a222

SHA256
b819854c22bbc4c7f66a158cbfdcbbb1c53a3f0ad768d50e9026eb7591e9def0

SHA512
359b872d90509f27143674a0444675e496192771e1ffd9f50db539eba5ee28e8634d156131b86e9c5dd4d9f5513091d7664535730e4875254e6711ea311f935b

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
d01e5936ea7660331567b6cdd2e0406d

SHA1
bc3ab408dc0be548eddae70406d52e4e8d09a222

SHA256
b819854c22bbc4c7f66a158cbfdcbbb1c53a3f0ad768d50e9026eb7591e9def0

SHA512
359b872d90509f27143674a0444675e496192771e1ffd9f50db539eba5ee28e8634d156131b86e9c5dd4d9f5513091d7664535730e4875254e6711ea311f935b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
411359beddfe2a5cb33f205773c80f2f

SHA1
d26e0781f3fe9d0391af9caa4e03efd2c5c2685a

SHA256
bc883b6b3d6a33310eedb2c52f49767c71350981a12cfde1e8b8908c710b305e

SHA512
7de3ba5a2d3beec540003f99341a84394256aa7b47916cbc5e6976bd92ab6281c8485a4de0e52ab25fae1895f3c7176361365b1ba57cae5ab02a86890c15c0dc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac81ed11a5fb1b8610a037d38b19bb42

SHA1
a9bd5ecd62a37f03f4e9c4ba2783f2cedc8f498a

SHA256
6f057bbe85f879664147443cd26f73e976c67562b5e6761cbbb4d2508128a1f4

SHA512
24eaf47a11bbf6538219a8f74f52d54044dd1728fee97774dbb89e405dafa35d9037144492c807f68d6842ea00628f164fe51792c49c35b62f24cf70c32dea5d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
367c333332c4f1dc1b56f9831715573c

SHA1
1e6710d5195ecd897ad711090fafbfe194fc8edd

SHA256
dd70ef7e07a1ece3d2e26c086db147263210d9d052e58f62b73e41f03ee2fb30

SHA512
5b52ddcef9fe103ad65594bc618c4f05baf76d25b6b1898bfeefe6354e68d51fbef5742ee607d5214817309e87029f126cf7f25ba3bea8558743b16f78320809

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
6c4ec5c08b9737b10ed0d96ff83da888

SHA1
43405788a1ae88eae2cb8d06be286fba52163004

SHA256
e1400adc6ba04a3de8a45227568a3244724c1da7bbc49927a4fbf168ea34bd49

SHA512
30eccecbb532f8cc859f4cf240a6911ff155f6516e962effe29e4bc2f0ff1d177122958026ce80790689b5b8469cfc2773a5d637c8641ddb6ef0aca0ee0a9dda

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7dba7a431a526699a4dcf10c5a3bec06

SHA1
85c9921a8372ff59e538523830eda6a57a6e31ff

SHA256
bd618b0788fbbc5d5cbd8ff8079b51577dcab4c999475284a5da3f30689e8192

SHA512
75f98b9a8b135162e159d7846b1d19f322f5c7a26efa9405872733203f8a9a6cd95a0f685066f2d3cdfcaf6b264409164c3eaa4a119efaf408991de6cad91767

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7dba7a431a526699a4dcf10c5a3bec06

SHA1
85c9921a8372ff59e538523830eda6a57a6e31ff

SHA256
bd618b0788fbbc5d5cbd8ff8079b51577dcab4c999475284a5da3f30689e8192

SHA512
75f98b9a8b135162e159d7846b1d19f322f5c7a26efa9405872733203f8a9a6cd95a0f685066f2d3cdfcaf6b264409164c3eaa4a119efaf408991de6cad91767

Download Submit
\Users\Admin\AppData\Local\Temp\1886718478\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\1886718478\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2eedbf37520ebe8b12ee12362339a80b

SHA1
1cd13072971546cfac7514197f3068dbc243fab6

SHA256
626137581ab77edb0fefb7d0585c6dce6dbf4660d28cbbd9c9e12d107f0cc9e5

SHA512
44bb132ef71202b19cc83aa992cd9acabd7d7b57f85ee1c08ad34bed257b87c568b33b6b3d815cec13a29752d9cdeedc948646b6af05dc2e26d03e4fe0b42336

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
48dce0845a308a3b094ce8c6735e4640

SHA1
1d49ac10993ef0ab91cc02e39222d4b0ce1e5627

SHA256
796739ed5f52252055d08fdbcc94d997195e1050e1f314ce721481676d9ade7d

SHA512
4c0ec829e802ea24ca5553aac9cfb1746ea4701759cceb7b0d0685e24e75761637554271419f7535d7d577b7d3a65119891ca6e52e513b02452e45dbc5e968e8

Download Submit
memory/1980-131-0x0000000074401000-0x0000000074403000-memory.dmp

Filesize
8KB

Download
memory/1980-103-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads