ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211

Analysis

max time kernel
80s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
Size

72KB
MD5

1074bb6ea6ae485a00e5e8a0a2031994
SHA1

60f170cc8b693539e69de744ee535d50a33c2198
SHA256

ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211
SHA512

897a8d3289e6f19d405bd1d142c3c3c3a1d83e79c283e5e1e5bc3a4f1905e40d94eabd54715b627fe99672d55cf9d519f919a62d696f67bb9da76f29517d3bf9
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2P:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrT

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1620	backup.exe
612	backup.exe
1764	backup.exe
948	backup.exe
1152	backup.exe
864	backup.exe
1884	update.exe
748	backup.exe
1916	backup.exe
1656	backup.exe
1476	System Restore.exe
1992	backup.exe
1724	backup.exe
1636	backup.exe
1816	backup.exe
916	backup.exe
1616	backup.exe
2024	System Restore.exe
1576	backup.exe
1904	backup.exe
1420	backup.exe
988	backup.exe
524	backup.exe
688	backup.exe
620	backup.exe
336	backup.exe
808	backup.exe
1884	backup.exe
840	backup.exe
1828	backup.exe
544	backup.exe
432	backup.exe
1656	backup.exe
1744	backup.exe
1332	backup.exe
1608	backup.exe
1124	backup.exe
668	backup.exe
1940	backup.exe
1220	backup.exe
1612	backup.exe
916	backup.exe
1760	backup.exe
1552	backup.exe
2024	backup.exe
1508	backup.exe
1484	backup.exe
1680	data.exe
948	backup.exe
524	backup.exe
1572	backup.exe
288	backup.exe
1912	backup.exe
1168	System Restore.exe
752	backup.exe
1100	backup.exe
1144	backup.exe
1804	backup.exe
1956	backup.exe
1892	backup.exe
972	backup.exe
1488	backup.exe
1480	backup.exe
1992	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1884	update.exe
1884	update.exe
1884	update.exe
748	backup.exe
748	backup.exe
1916	backup.exe
1916	backup.exe
748	backup.exe
748	backup.exe
1476	System Restore.exe
1476	System Restore.exe
1992	backup.exe
1992	backup.exe
1476	System Restore.exe
1476	System Restore.exe
1636	backup.exe
1636	backup.exe
1816	backup.exe
1816	backup.exe
1816	backup.exe
1816	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
1620	backup.exe
612	backup.exe
1764	backup.exe
948	backup.exe
1152	backup.exe
864	backup.exe
1884	update.exe
748	backup.exe
1916	backup.exe
1656	backup.exe
1476	System Restore.exe
1992	backup.exe
1724	backup.exe
1636	backup.exe
1816	backup.exe
916	backup.exe
1616	backup.exe
2024	System Restore.exe
1576	backup.exe
1904	backup.exe
1420	backup.exe
988	backup.exe
524	backup.exe
688	backup.exe
620	backup.exe
336	backup.exe
808	backup.exe
1884	backup.exe
840	backup.exe
1828	backup.exe
544	backup.exe
432	backup.exe
1656	backup.exe
1744	backup.exe
1332	backup.exe
1608	backup.exe
1124	backup.exe
668	backup.exe
1940	backup.exe
1220	backup.exe
1612	backup.exe
916	backup.exe
1760	backup.exe
1552	backup.exe
2024	backup.exe
1508	backup.exe
1484	backup.exe
1680	data.exe
948	backup.exe
524	backup.exe
1572	backup.exe
288	backup.exe
1912	backup.exe
1168	System Restore.exe
752	backup.exe
1100	backup.exe
1144	backup.exe
1804	backup.exe
1956	backup.exe
1892	backup.exe
972	backup.exe
1488	backup.exe
1480	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1620	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	28
PID 1032 wrote to memory of 1620	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	28
PID 1032 wrote to memory of 1620	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	28
PID 1032 wrote to memory of 1620	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	28
PID 1032 wrote to memory of 612	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	29
PID 1032 wrote to memory of 612	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	29
PID 1032 wrote to memory of 612	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	29
PID 1032 wrote to memory of 612	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	29
PID 1032 wrote to memory of 1764	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	30
PID 1032 wrote to memory of 1764	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	30
PID 1032 wrote to memory of 1764	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	30
PID 1032 wrote to memory of 1764	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	30
PID 1032 wrote to memory of 948	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	31
PID 1032 wrote to memory of 948	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	31
PID 1032 wrote to memory of 948	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	31
PID 1032 wrote to memory of 948	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	31
PID 1032 wrote to memory of 1152	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	32
PID 1032 wrote to memory of 1152	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	32
PID 1032 wrote to memory of 1152	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	32
PID 1032 wrote to memory of 1152	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	32
PID 1032 wrote to memory of 864	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	33
PID 1032 wrote to memory of 864	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	33
PID 1032 wrote to memory of 864	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	33
PID 1032 wrote to memory of 864	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	33
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1032 wrote to memory of 1884	1032	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe	34
PID 1620 wrote to memory of 748	1620	backup.exe	35
PID 1620 wrote to memory of 748	1620	backup.exe	35
PID 1620 wrote to memory of 748	1620	backup.exe	35
PID 1620 wrote to memory of 748	1620	backup.exe	35
PID 748 wrote to memory of 1916	748	backup.exe	36
PID 748 wrote to memory of 1916	748	backup.exe	36
PID 748 wrote to memory of 1916	748	backup.exe	36
PID 748 wrote to memory of 1916	748	backup.exe	36
PID 1916 wrote to memory of 1656	1916	backup.exe	37
PID 1916 wrote to memory of 1656	1916	backup.exe	37
PID 1916 wrote to memory of 1656	1916	backup.exe	37
PID 1916 wrote to memory of 1656	1916	backup.exe	37
PID 748 wrote to memory of 1476	748	backup.exe	38
PID 748 wrote to memory of 1476	748	backup.exe	38
PID 748 wrote to memory of 1476	748	backup.exe	38
PID 748 wrote to memory of 1476	748	backup.exe	38
PID 1476 wrote to memory of 1992	1476	System Restore.exe	39
PID 1476 wrote to memory of 1992	1476	System Restore.exe	39
PID 1476 wrote to memory of 1992	1476	System Restore.exe	39
PID 1476 wrote to memory of 1992	1476	System Restore.exe	39
PID 1992 wrote to memory of 1724	1992	backup.exe	40
PID 1992 wrote to memory of 1724	1992	backup.exe	40
PID 1992 wrote to memory of 1724	1992	backup.exe	40
PID 1992 wrote to memory of 1724	1992	backup.exe	40
PID 1476 wrote to memory of 1636	1476	System Restore.exe	41
PID 1476 wrote to memory of 1636	1476	System Restore.exe	41
PID 1476 wrote to memory of 1636	1476	System Restore.exe	41
PID 1476 wrote to memory of 1636	1476	System Restore.exe	41
PID 1636 wrote to memory of 1816	1636	backup.exe	42
PID 1636 wrote to memory of 1816	1636	backup.exe	42
PID 1636 wrote to memory of 1816	1636	backup.exe	42
PID 1636 wrote to memory of 1816	1636	backup.exe	42
PID 1816 wrote to memory of 916	1816	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe
"C:\Users\Admin\AppData\Local\Temp\ce105980b7cbd47f30a2151bc32c1450260892a47455a882471f670521007211.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1032
- C:\Users\Admin\AppData\Local\Temp\250047003\backup.exe
  C:\Users\Admin\AppData\Local\Temp\250047003\backup.exe C:\Users\Admin\AppData\Local\Temp\250047003\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:748
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1476
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1992
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1636
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        System policy modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:980
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1360
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1772
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Drops file in Program Files directory
        
        PID:472
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:620
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:432
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1796
        
        C:\Program Files\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1412
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:888
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1688
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1992
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:668
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1144
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1752
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1232
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1864
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:856
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:988
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1892
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1220
      - C:\Program Files\DVD Maker\Shared\update.exe
        
        "C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1168
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1616
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1144
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1608
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1160
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:108
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:960
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:688
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1732
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1400
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2052
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1680
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1596
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:944
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:892
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1940
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2020
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1804
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2064
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:1336
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        System policy modification
        
        PID:1940
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1612
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1060
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1116
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1100
      - C:\Program Files (x86)\Common Files\Adobe AIR\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:536
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:860
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1576
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:276
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:748
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1552
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:804
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1704
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2076
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1828
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1916
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:572
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1360
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1992
      - C:\Users\Admin\Downloads\System Restore.exe
        
        "C:\Users\Admin\Downloads\System Restore.exe" C:\Users\Admin\Downloads\
        6⤵
        
        PID:1656
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1904
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1648
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1332
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1560
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2000
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1776
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1368
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:612
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:948
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:864
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
26f5d5c6f981e37a55b2a0e65c1c86f4

SHA1
aa025f9a8f72643f3221c92f75b42278f3ac00ea

SHA256
30caa6e4aef8fb74b1647aef63c88199d0f2dbd0ab1558dd61e3bc4bbb80ec38

SHA512
79eef1053e7b5484906e28199f8989ec5dfcf3568d204800e517a8a9d623be823c5d844504cb8614578da250516b97666085cfad83376d1da73bdf42257c8910

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
C:\Users\Admin\AppData\Local\Temp\250047003\backup.exe

Filesize
72KB

MD5
dd169f2831c34d3acfda7747b9b37bd1

SHA1
555dca5435d0b6479e78e8235cae2510f45d9989

SHA256
8526465284a92734345ecf8e458de39ad048d4c944a0cedd3905c8f3b37679e7

SHA512
fa9d6c0d02b680ed86681b8f7568a7709c7c6d995800d89abe3b223ba25ae647decc0cfb654d692fad82dbca9b41547a4a701d161a09cc76e07729b7fded82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\250047003\backup.exe

Filesize
72KB

MD5
dd169f2831c34d3acfda7747b9b37bd1

SHA1
555dca5435d0b6479e78e8235cae2510f45d9989

SHA256
8526465284a92734345ecf8e458de39ad048d4c944a0cedd3905c8f3b37679e7

SHA512
fa9d6c0d02b680ed86681b8f7568a7709c7c6d995800d89abe3b223ba25ae647decc0cfb654d692fad82dbca9b41547a4a701d161a09cc76e07729b7fded82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7754a256b59611c7f100ba191c68d822

SHA1
f210d862b089e1c1c92e7d15406f215feea75b2b

SHA256
ceb7227860770a9a6284b06f885f991fd44759703e631e8176af891ab66167ca

SHA512
b657a02bfc55043813c4054d9d8b14d61e5b1bc0ea96d8081b6685843037123d941d86ba0db028681a4a42ef432a84b32dccf5fd899f96aad4c6d36bda22bb0c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7754a256b59611c7f100ba191c68d822

SHA1
f210d862b089e1c1c92e7d15406f215feea75b2b

SHA256
ceb7227860770a9a6284b06f885f991fd44759703e631e8176af891ab66167ca

SHA512
b657a02bfc55043813c4054d9d8b14d61e5b1bc0ea96d8081b6685843037123d941d86ba0db028681a4a42ef432a84b32dccf5fd899f96aad4c6d36bda22bb0c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
45f1ba9471bf5aa451d43cd17c70098f

SHA1
bee08691fee2215746ff1da5bc085c890f60f7fa

SHA256
0527ac0f1546d2360ccb8727408f5e2999def680cce830669cc073e8248ab0f5

SHA512
cb93077257deb9926d0dda7a34674059e01868a603c64b27c419494cc24c9e3d121cf5e0227d66c467ee22036901a51a17176010df288b2460620db501e8b4d7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
26f5d5c6f981e37a55b2a0e65c1c86f4

SHA1
aa025f9a8f72643f3221c92f75b42278f3ac00ea

SHA256
30caa6e4aef8fb74b1647aef63c88199d0f2dbd0ab1558dd61e3bc4bbb80ec38

SHA512
79eef1053e7b5484906e28199f8989ec5dfcf3568d204800e517a8a9d623be823c5d844504cb8614578da250516b97666085cfad83376d1da73bdf42257c8910

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
26f5d5c6f981e37a55b2a0e65c1c86f4

SHA1
aa025f9a8f72643f3221c92f75b42278f3ac00ea

SHA256
30caa6e4aef8fb74b1647aef63c88199d0f2dbd0ab1558dd61e3bc4bbb80ec38

SHA512
79eef1053e7b5484906e28199f8989ec5dfcf3568d204800e517a8a9d623be823c5d844504cb8614578da250516b97666085cfad83376d1da73bdf42257c8910

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fca7a2ce621764d14b00d83b036f9f56

SHA1
28811603b41cb775ba4fee9a094b0841b1f93758

SHA256
3e2a57edb41cbe7f4703004b0ed2914cf6e02e526fb0fc7b6367711f471149dc

SHA512
e72fffcbfe2dc56cc9bd135656478f85495d0be216670c7923cb939e151fe429e9f87e15eef47ca2a1591e1855d2e6877c274566e9e3d9e2012b47557778e393

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d245dad78c83c82da88f9aee71357f60

SHA1
7026eb151da682b3f897c9560c6d9fbd05d2af86

SHA256
31dd09a12ae936b44987167378cfdf46030414cb3cd3e52be1cbc801ab45b64a

SHA512
278fe0f9aedaaa050164c47cb5602fdb754f40bba20b4d9b392b2f367f3c6dc88fefa132e3c24c9cf2fb7cce23465f00c8deed176cec202f99dbf2bf7ea53a6e

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfcc76e619e9472164a6e8bbffe64b2e

SHA1
f90aa7275b7c6c9f9bf8f2aeab4c8e3b7592624e

SHA256
8377e35c0894b2fe729da5b96b7308f4d4da23b1e946eb5b24337c3afd32f3a1

SHA512
d270d09b55b760555c41bfe824319f5deb006198e141f5cd9413bb1c4d0e762e9fb3bb9dd96ef80e80c135b397ff2dd417f25278cf65568afca8a6f7c8ac90d4

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
b13a4630f14bee25a354a899f5ea8970

SHA1
10827b6ff251c501c8191534f9c89b13b6f634e3

SHA256
5064faf1fd0a57c3f0540863c536ccee7162d02027522926b78513222c524ad6

SHA512
4ebfc4d821c75e7f88cec5e70773cdb35d2f6fff2c033e7df89a763a048ced3f1275928cc3d923e419d1d3935b3cd38feacf830515ad51f99c95687839dcb696

Download Submit
\Users\Admin\AppData\Local\Temp\250047003\backup.exe

Filesize
72KB

MD5
dd169f2831c34d3acfda7747b9b37bd1

SHA1
555dca5435d0b6479e78e8235cae2510f45d9989

SHA256
8526465284a92734345ecf8e458de39ad048d4c944a0cedd3905c8f3b37679e7

SHA512
fa9d6c0d02b680ed86681b8f7568a7709c7c6d995800d89abe3b223ba25ae647decc0cfb654d692fad82dbca9b41547a4a701d161a09cc76e07729b7fded82c4

Download Submit
\Users\Admin\AppData\Local\Temp\250047003\backup.exe

Filesize
72KB

MD5
dd169f2831c34d3acfda7747b9b37bd1

SHA1
555dca5435d0b6479e78e8235cae2510f45d9989

SHA256
8526465284a92734345ecf8e458de39ad048d4c944a0cedd3905c8f3b37679e7

SHA512
fa9d6c0d02b680ed86681b8f7568a7709c7c6d995800d89abe3b223ba25ae647decc0cfb654d692fad82dbca9b41547a4a701d161a09cc76e07729b7fded82c4

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
86ca721bdf05435c157331bbf72ba752

SHA1
4de0a2ef2a3db2010d55a690a25c2733191ceef0

SHA256
052cd2ae8d6bb33c81ba68b636e62335185cb30772906be409cf2ca25646ee6c

SHA512
f5df77e6de85c31bdc1611cb80f5e9c4f4f540ebb9b52a2bca5166ccfc96165ac81aad11bcc3f91be6d8626c5a45f40fb8f556a0c29e0e7f6d042b17f025df8b

Download Submit
memory/1032-122-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/1884-96-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads