0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855

Analysis

max time kernel
120s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
Size

72KB
MD5

0f052e3ed132e2dea01a8465bc82f8cd
SHA1

4ea2cd16fe188923f0163d1147fe4c9603fc01a4
SHA256

0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855
SHA512

13a1312c457df0947fc7a8311eae617a4fbf3364b8f8419dcc0940d27cc8c821e4c4ae6b24b1dcd2aeb0cb3a568c182b0d964d698c762c4ca41709d5ccd5c9a8
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2X:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
964	backup.exe
1280	backup.exe
1200	backup.exe
1324	backup.exe
1308	backup.exe
868	data.exe
520	backup.exe
872	backup.exe
596	backup.exe
1004	backup.exe
1064	backup.exe
304	backup.exe
1260	data.exe
992	backup.exe
1652	update.exe
1944	backup.exe
948	backup.exe
1456	backup.exe
1416	backup.exe
1276	backup.exe
1324	backup.exe
768	backup.exe
868	backup.exe
1496	backup.exe
316	backup.exe
1548	backup.exe
1600	data.exe
1348	data.exe
1592	backup.exe
1992	backup.exe
1676	backup.exe
1668	backup.exe
1868	backup.exe
1800	backup.exe
1544	update.exe
1820	data.exe
1532	backup.exe
1312	backup.exe
1804	backup.exe
952	System Restore.exe
1752	data.exe
744	backup.exe
1320	backup.exe
1168	backup.exe
1416	backup.exe
832	backup.exe
584	System Restore.exe
1368	System Restore.exe
108	update.exe
828	backup.exe
1780	backup.exe
2016	backup.exe
1592	data.exe
568	update.exe
1672	backup.exe
1624	backup.exe
1800	backup.exe
1876	backup.exe
864	backup.exe
944	backup.exe
2000	backup.exe
1336	backup.exe
1536	backup.exe
676	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
872	backup.exe
872	backup.exe
596	backup.exe
596	backup.exe
872	backup.exe
872	backup.exe
1064	backup.exe
1064	backup.exe
304	backup.exe
304	backup.exe
1064	backup.exe
1064	backup.exe
992	backup.exe
1652	update.exe
1652	update.exe
1652	update.exe
1652	update.exe
1652	update.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1652	update.exe
1652	update.exe
948	backup.exe
948	backup.exe
948	backup.exe
948	backup.exe
948	backup.exe
1456	backup.exe
1456	backup.exe
1456	backup.exe
948	backup.exe
948	backup.exe
1416	backup.exe
1416	backup.exe
1416	backup.exe
948	backup.exe
948	backup.exe
992	backup.exe
992	backup.exe
872	backup.exe
872	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
1064	backup.exe
1064	backup.exe
992	backup.exe
992	backup.exe
1652	update.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
964	backup.exe
1280	backup.exe
1200	backup.exe
1324	backup.exe
1308	backup.exe
868	data.exe
520	backup.exe
872	backup.exe
596	backup.exe
1004	backup.exe
1064	backup.exe
304	backup.exe
1260	data.exe
992	backup.exe
1652	update.exe
1944	backup.exe
948	backup.exe
1456	backup.exe
1416	backup.exe
1276	backup.exe
1324	backup.exe
768	backup.exe
868	backup.exe
1496	backup.exe
316	backup.exe
1600	data.exe
1548	backup.exe
1348	data.exe
1592	data.exe
1992	backup.exe
1676	backup.exe
1668	backup.exe
1868	backup.exe
1800	backup.exe
1820	data.exe
1544	update.exe
1532	backup.exe
1312	backup.exe
1804	backup.exe
1752	data.exe
744	backup.exe
1320	backup.exe
1168	backup.exe
1416	backup.exe
268	backup.exe
1368	System Restore.exe
584	System Restore.exe
832	backup.exe
1984	backup.exe
108	update.exe
828	backup.exe
1780	backup.exe
1476	backup.exe
2016	backup.exe
1592	data.exe
1672	backup.exe
1624	backup.exe
568	update.exe
1560	backup.exe
1800	backup.exe
2000	backup.exe
944	backup.exe
1876	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 964	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	28
PID 904 wrote to memory of 964	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	28
PID 904 wrote to memory of 964	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	28
PID 904 wrote to memory of 964	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	28
PID 904 wrote to memory of 1280	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	29
PID 904 wrote to memory of 1280	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	29
PID 904 wrote to memory of 1280	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	29
PID 904 wrote to memory of 1280	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	29
PID 904 wrote to memory of 1200	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	30
PID 904 wrote to memory of 1200	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	30
PID 904 wrote to memory of 1200	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	30
PID 904 wrote to memory of 1200	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	30
PID 904 wrote to memory of 1324	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	31
PID 904 wrote to memory of 1324	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	31
PID 904 wrote to memory of 1324	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	31
PID 904 wrote to memory of 1324	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	31
PID 904 wrote to memory of 1308	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	32
PID 904 wrote to memory of 1308	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	32
PID 904 wrote to memory of 1308	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	32
PID 904 wrote to memory of 1308	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	32
PID 904 wrote to memory of 868	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	33
PID 904 wrote to memory of 868	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	33
PID 904 wrote to memory of 868	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	33
PID 904 wrote to memory of 868	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	33
PID 904 wrote to memory of 520	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	34
PID 904 wrote to memory of 520	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	34
PID 904 wrote to memory of 520	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	34
PID 904 wrote to memory of 520	904	0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe	34
PID 964 wrote to memory of 872	964	backup.exe	35
PID 964 wrote to memory of 872	964	backup.exe	35
PID 964 wrote to memory of 872	964	backup.exe	35
PID 964 wrote to memory of 872	964	backup.exe	35
PID 872 wrote to memory of 596	872	backup.exe	36
PID 872 wrote to memory of 596	872	backup.exe	36
PID 872 wrote to memory of 596	872	backup.exe	36
PID 872 wrote to memory of 596	872	backup.exe	36
PID 596 wrote to memory of 1004	596	backup.exe	37
PID 596 wrote to memory of 1004	596	backup.exe	37
PID 596 wrote to memory of 1004	596	backup.exe	37
PID 596 wrote to memory of 1004	596	backup.exe	37
PID 872 wrote to memory of 1064	872	backup.exe	38
PID 872 wrote to memory of 1064	872	backup.exe	38
PID 872 wrote to memory of 1064	872	backup.exe	38
PID 872 wrote to memory of 1064	872	backup.exe	38
PID 1064 wrote to memory of 304	1064	backup.exe	39
PID 1064 wrote to memory of 304	1064	backup.exe	39
PID 1064 wrote to memory of 304	1064	backup.exe	39
PID 1064 wrote to memory of 304	1064	backup.exe	39
PID 304 wrote to memory of 1260	304	backup.exe	40
PID 304 wrote to memory of 1260	304	backup.exe	40
PID 304 wrote to memory of 1260	304	backup.exe	40
PID 304 wrote to memory of 1260	304	backup.exe	40
PID 1064 wrote to memory of 992	1064	backup.exe	41
PID 1064 wrote to memory of 992	1064	backup.exe	41
PID 1064 wrote to memory of 992	1064	backup.exe	41
PID 1064 wrote to memory of 992	1064	backup.exe	41
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 992 wrote to memory of 1652	992	backup.exe	42
PID 1652 wrote to memory of 1944	1652	update.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe

C:\Users\Admin\AppData\Local\Temp\0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe
"C:\Users\Admin\AppData\Local\Temp\0e4fa22e53d5e4fc68b1f98990e78eb6df7761ace0978e52e9ef8664de044855.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\2840503821\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2840503821\backup.exe C:\Users\Admin\AppData\Local\Temp\2840503821\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:964
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:872
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Program Files\7-Zip\Lang\data.exe
        
        "C:\Program Files\7-Zip\Lang\data.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1260
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2552
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
      - C:\Program Files\Common Files\System\update.exe
        
        "C:\Program Files\Common Files\System\update.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\System\ado\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\data.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\update.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:944
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:584
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2124
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:868
      - C:\Program Files\DVD Maker\de-DE\data.exe
        
        "C:\Program Files\DVD Maker\de-DE\data.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1348
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1800
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
      - C:\Program Files\DVD Maker\it-IT\System Restore.exe
        
        "C:\Program Files\DVD Maker\it-IT\System Restore.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1336
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        
        PID:856
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        
        PID:828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1264
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1640
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1548
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2528
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1924
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1748
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:596
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1944
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:868
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1320
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1820
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2212
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1068
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2116
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1824
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1624
      - C:\Program Files\Internet Explorer\es-ES\data.exe
        
        "C:\Program Files\Internet Explorer\es-ES\data.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1756
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1616
      - C:\Program Files\Internet Explorer\images\System Restore.exe
        
        "C:\Program Files\Internet Explorer\images\System Restore.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1032
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1196
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1112
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2560
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1168
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1524
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2568
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:768
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1600
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1532
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:760
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:1308
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:968
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1164
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1532
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:468
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:364
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2536
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1632
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:1500
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1368
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:896
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2204
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      PID:936
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:924
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:384
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:556
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1708
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1392
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1864
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2100
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1260
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1108
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:868
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
C:\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
90e953f4aabea37e13bc90b66bf384d4

SHA1
f1a21d06766d3bddefa7647e33de3c0a9b519dd4

SHA256
b0d3fbb970d0ed310e69084a626fe969c50448ca1576f3bf173083a162389b25

SHA512
50c281e423e858f5d931603b86c6be9cbdb4a35752cdede5ea853e6cd777c47eacd35274ec74f676fb01a9cc5458eac32a5b290eda1784afdca9bcfd9bfa01d0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5f6d62a0898bb926477b935bf632c8ca

SHA1
b63327d82c6be7f18d456559f50cc857148163da

SHA256
32d829caf23e7383c72edb8845e57e097406c5d188de2af2ad5138514680482e

SHA512
70b9f736d62d660482a0e45cac6c4d1acaf6fdc59d022560cfc5d6c600a3a3bfea87498ed6b5e02c31790177b761964dce6de4d20b16df0dd647db54da9c60a0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5f6d62a0898bb926477b935bf632c8ca

SHA1
b63327d82c6be7f18d456559f50cc857148163da

SHA256
32d829caf23e7383c72edb8845e57e097406c5d188de2af2ad5138514680482e

SHA512
70b9f736d62d660482a0e45cac6c4d1acaf6fdc59d022560cfc5d6c600a3a3bfea87498ed6b5e02c31790177b761964dce6de4d20b16df0dd647db54da9c60a0

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2840503821\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\2840503821\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8f434f610cb7a0c280a1a093faa9e666

SHA1
d6f7b22a77b4498129776803c4ca5d656642ecf7

SHA256
297478d36102a49a981fca8bf622fe12b7939bac83f7ec32b67cefe37c5dce26

SHA512
15b270d3eba5e103967f568654566b133306541b6f20b91c43756444ade356edf86fb18fce64927b056f9564263c22dd47121c4da7d20becd7dbccedf4feb2c8

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8f434f610cb7a0c280a1a093faa9e666

SHA1
d6f7b22a77b4498129776803c4ca5d656642ecf7

SHA256
297478d36102a49a981fca8bf622fe12b7939bac83f7ec32b67cefe37c5dce26

SHA512
15b270d3eba5e103967f568654566b133306541b6f20b91c43756444ade356edf86fb18fce64927b056f9564263c22dd47121c4da7d20becd7dbccedf4feb2c8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
90e953f4aabea37e13bc90b66bf384d4

SHA1
f1a21d06766d3bddefa7647e33de3c0a9b519dd4

SHA256
b0d3fbb970d0ed310e69084a626fe969c50448ca1576f3bf173083a162389b25

SHA512
50c281e423e858f5d931603b86c6be9cbdb4a35752cdede5ea853e6cd777c47eacd35274ec74f676fb01a9cc5458eac32a5b290eda1784afdca9bcfd9bfa01d0

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
90e953f4aabea37e13bc90b66bf384d4

SHA1
f1a21d06766d3bddefa7647e33de3c0a9b519dd4

SHA256
b0d3fbb970d0ed310e69084a626fe969c50448ca1576f3bf173083a162389b25

SHA512
50c281e423e858f5d931603b86c6be9cbdb4a35752cdede5ea853e6cd777c47eacd35274ec74f676fb01a9cc5458eac32a5b290eda1784afdca9bcfd9bfa01d0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
76d927c126d5d68edf91ede7c8fd7ffd

SHA1
7318a219c0e4c2f58c9e67523a93da3b0902ca32

SHA256
f937f124b3b57f7b204f8af39970e64de8a4f8e7a6f8771e7ecbc4c66963df67

SHA512
2fa4c525d76de6973071f9c7737314eb003abbbb64b7d4f7a3cb73c81f035b4f311f177ab79ddad997d9c33276d56bbfdb26420dcfe84756820d464abff91d1f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1cd922d95810e583a5cbfa7b778ef314

SHA1
b1099d1acb320df100509fd9ef1f7f22a27428d6

SHA256
0a305e0deb8757f4ca3e63cc8068caa041a43cb622ec6de99512b7e4f99cdfd2

SHA512
1dc47b6499a8e03757b28557046ac4a051e182781a1e54559d6681fc6f12c045145fcc961195772c894bf536c54fad545b16fc22eeb79c1cc7aeaa8686821f5b

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
6a9e37e9821ac9b710704fdfbe61855f

SHA1
33321836d71806dc0612027e9bc2710b9846ab82

SHA256
015fc50167ea4a5b825d564fb41964ac027d86f9035a46e34dbdf42853ce1bc7

SHA512
c54bc711f670ba4942d3e9a8dc3628b95136362e98a2b4ad6727a906f1bfb21f96d52050938cb3464cd143efe90f8847cb522dcfe1f68e1fe7c83f21917c77c2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5f6d62a0898bb926477b935bf632c8ca

SHA1
b63327d82c6be7f18d456559f50cc857148163da

SHA256
32d829caf23e7383c72edb8845e57e097406c5d188de2af2ad5138514680482e

SHA512
70b9f736d62d660482a0e45cac6c4d1acaf6fdc59d022560cfc5d6c600a3a3bfea87498ed6b5e02c31790177b761964dce6de4d20b16df0dd647db54da9c60a0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5f6d62a0898bb926477b935bf632c8ca

SHA1
b63327d82c6be7f18d456559f50cc857148163da

SHA256
32d829caf23e7383c72edb8845e57e097406c5d188de2af2ad5138514680482e

SHA512
70b9f736d62d660482a0e45cac6c4d1acaf6fdc59d022560cfc5d6c600a3a3bfea87498ed6b5e02c31790177b761964dce6de4d20b16df0dd647db54da9c60a0

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
359990a54646e0a041b3ef3e28ee887d

SHA1
d7db0076b9f945027320d762ee44ef88d0393de4

SHA256
9ae0346dd7afec9cb7b83ddfffb21733bedaf78eaf5531acbcfb5aa11e54a1a8

SHA512
14b9dc4cdf9bbed88fa8295707e113ce78487faeede84cffae8bc81906afbfb0542248ea5cf3450513bc7b32a9d70f25137efa706c4a4c79b2a28a94a5c89efe

Download Submit
\Users\Admin\AppData\Local\Temp\2840503821\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\2840503821\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
d083e491a0cb9bb26ed61a6d67080b88

SHA1
f9d1191441670d29096e3819d0f5f6e634315579

SHA256
aaba203a4e599ee15a92f2f971e6cf15a4e62163eda29c438e7a3442a9e3dc0e

SHA512
1d69fe35d79e5cb8d2391c0efce8434a359d3eb97346711d62a2ae7f73915f809a7f4e30b941e3d42bb9fd584a2649144b023717d2661cfc1741136e5860b119

Download Submit
memory/904-124-0x00000000748D1000-0x00000000748D3000-memory.dmp

Filesize
8KB

Download
memory/904-98-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads