8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
Size

72KB
MD5

02500073d71d14460132c5f87379db8c
SHA1

c6d67e3d99cb8eb9651016689d39644a756f4512
SHA256

8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596
SHA512

b8e5eac7c1344c72663fa4fcd9c84988113fe06fb6d127c0580093bba7fd8339bdba13830cbafa7c399e2299d4bc5b6e1c813f3b709a6850150635e8ff27b375
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2D:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPX

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2008	backup.exe
1624	backup.exe
1328	backup.exe
1504	backup.exe
684	backup.exe
844	backup.exe
1028	backup.exe
1020	data.exe
1480	backup.exe
1916	backup.exe
1816	update.exe
1996	backup.exe
920	backup.exe
772	data.exe
1092	backup.exe
276	data.exe
1616	backup.exe
1624	backup.exe
1824	backup.exe
108	backup.exe
1632	backup.exe
1828	backup.exe
556	backup.exe
1196	backup.exe
1564	backup.exe
912	backup.exe
672	System Restore.exe
1668	backup.exe
1664	backup.exe
1160	backup.exe
1956	backup.exe
1652	backup.exe
2016	backup.exe
972	backup.exe
1488	backup.exe
1576	backup.exe
2020	backup.exe
1728	data.exe
1056	backup.exe
2024	backup.exe
812	backup.exe
1100	backup.exe
524	backup.exe
436	backup.exe
684	backup.exe
988	update.exe
1604	backup.exe
848	backup.exe
1932	update.exe
776	System Restore.exe
1568	backup.exe
1948	backup.exe
1912	backup.exe
1672	backup.exe
1080	backup.exe
1572	backup.exe
1752	backup.exe
1180	backup.exe
920	backup.exe
864	backup.exe
2032	backup.exe
2044	backup.exe
1412	backup.exe
1756	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
1020	data.exe
1020	data.exe
1480	backup.exe
1480	backup.exe
1020	data.exe
1816	update.exe
1816	update.exe
1816	update.exe
1816	update.exe
1816	update.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
920	backup.exe
920	backup.exe
920	backup.exe
1816	update.exe
1816	update.exe
772	data.exe
772	data.exe
772	data.exe
772	data.exe
772	data.exe
1092	backup.exe
1092	backup.exe
1092	backup.exe
1092	backup.exe
1092	backup.exe
276	data.exe
276	data.exe
276	data.exe
1092	backup.exe
1092	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1616	backup.exe
1624	backup.exe
1624	backup.exe
1624	backup.exe
1616	backup.exe
1616	backup.exe
1824	backup.exe
1824	backup.exe
1824	backup.exe
1616	backup.exe
1616	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\update.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
2008	backup.exe
1624	backup.exe
1328	backup.exe
1504	backup.exe
684	backup.exe
844	backup.exe
1028	backup.exe
1020	data.exe
1480	backup.exe
1916	backup.exe
1816	update.exe
1996	backup.exe
920	backup.exe
772	data.exe
1092	backup.exe
276	data.exe
1616	backup.exe
1624	backup.exe
1824	backup.exe
108	backup.exe
1632	backup.exe
1828	backup.exe
556	backup.exe
1196	backup.exe
1564	backup.exe
912	backup.exe
672	System Restore.exe
1668	backup.exe
1664	backup.exe
1160	backup.exe
1956	backup.exe
1652	backup.exe
2016	backup.exe
972	backup.exe
1488	backup.exe
1576	backup.exe
2020	backup.exe
1728	data.exe
1056	backup.exe
2024	backup.exe
812	backup.exe
1100	backup.exe
524	backup.exe
436	backup.exe
684	backup.exe
988	update.exe
1604	backup.exe
848	backup.exe
1932	update.exe
776	System Restore.exe
1568	backup.exe
1948	backup.exe
1912	backup.exe
1672	backup.exe
1080	backup.exe
1572	backup.exe
1752	backup.exe
1180	backup.exe
920	backup.exe
864	backup.exe
2032	backup.exe
2044	backup.exe
1756	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2008	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	27
PID 992 wrote to memory of 2008	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	27
PID 992 wrote to memory of 2008	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	27
PID 992 wrote to memory of 2008	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	27
PID 992 wrote to memory of 1624	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	28
PID 992 wrote to memory of 1624	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	28
PID 992 wrote to memory of 1624	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	28
PID 992 wrote to memory of 1624	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	28
PID 992 wrote to memory of 1328	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	29
PID 992 wrote to memory of 1328	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	29
PID 992 wrote to memory of 1328	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	29
PID 992 wrote to memory of 1328	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	29
PID 992 wrote to memory of 1504	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	30
PID 992 wrote to memory of 1504	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	30
PID 992 wrote to memory of 1504	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	30
PID 992 wrote to memory of 1504	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	30
PID 992 wrote to memory of 684	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	31
PID 992 wrote to memory of 684	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	31
PID 992 wrote to memory of 684	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	31
PID 992 wrote to memory of 684	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	31
PID 992 wrote to memory of 844	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	32
PID 992 wrote to memory of 844	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	32
PID 992 wrote to memory of 844	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	32
PID 992 wrote to memory of 844	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	32
PID 992 wrote to memory of 1028	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	33
PID 992 wrote to memory of 1028	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	33
PID 992 wrote to memory of 1028	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	33
PID 992 wrote to memory of 1028	992	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe	33
PID 2008 wrote to memory of 1020	2008	backup.exe	34
PID 2008 wrote to memory of 1020	2008	backup.exe	34
PID 2008 wrote to memory of 1020	2008	backup.exe	34
PID 2008 wrote to memory of 1020	2008	backup.exe	34
PID 1020 wrote to memory of 1480	1020	data.exe	35
PID 1020 wrote to memory of 1480	1020	data.exe	35
PID 1020 wrote to memory of 1480	1020	data.exe	35
PID 1020 wrote to memory of 1480	1020	data.exe	35
PID 1480 wrote to memory of 1916	1480	backup.exe	36
PID 1480 wrote to memory of 1916	1480	backup.exe	36
PID 1480 wrote to memory of 1916	1480	backup.exe	36
PID 1480 wrote to memory of 1916	1480	backup.exe	36
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1020 wrote to memory of 1816	1020	data.exe	37
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1816 wrote to memory of 1996	1816	update.exe	38
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1996 wrote to memory of 920	1996	backup.exe	39
PID 1816 wrote to memory of 772	1816	update.exe	40
PID 1816 wrote to memory of 772	1816	update.exe	40
PID 1816 wrote to memory of 772	1816	update.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe
"C:\Users\Admin\AppData\Local\Temp\8ce18cd367a7b15261a086449254bba1a52cdf38bae3da1b8f7f329b622f6596.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:992
- C:\Users\Admin\AppData\Local\Temp\1781023611\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1781023611\backup.exe C:\Users\Admin\AppData\Local\Temp\1781023611\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\data.exe
    \data.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1020
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1480
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1816
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:920
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\VC\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:568
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:672
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1588
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1608
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1996
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1568
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1700
      - C:\Program Files\DVD Maker\en-US\System Restore.exe
        
        "C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1080
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:304
      - C:\Program Files\DVD Maker\fr-FR\System Restore.exe
        
        "C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1108
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1744
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2024
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1444
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1476
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1804
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2012
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:928
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:804
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1560
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1932
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1200
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:808
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1012
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:988
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1388
    - - C:\Program Files\Mozilla Firefox\update.exe
        
        "C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1132
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1392
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1912
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:108
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:776
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1492
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2032
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1644
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1612
      - C:\Program Files (x86)\Common Files\Adobe AIR\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1052
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1844
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:304
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:344
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:556
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1076
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:972
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1664
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:848
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1568
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1440
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:584
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1324
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      PID:1564
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1616
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:636
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1964
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:684
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:844
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1781023611\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1781023611\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
C:\data.exe

Filesize
72KB

MD5
d131c7694b2cfe75a821ad90eef65280

SHA1
b41989a7ca79489dd09c4a3f90c0cff150ad52bb

SHA256
20f95905b42a2abffcb80d0e44f4c47475c9f9ae5d579542954588907e6c56da

SHA512
e8205a6c015a63896688e11ab922bb3b8d5250ee7f9bb2a42f6c4ed073187838e21e82ee922aa5bf8ac4826eb903da81a72e0577801df54e5fb9682890198dee

Download Submit
C:\data.exe

Filesize
72KB

MD5
d131c7694b2cfe75a821ad90eef65280

SHA1
b41989a7ca79489dd09c4a3f90c0cff150ad52bb

SHA256
20f95905b42a2abffcb80d0e44f4c47475c9f9ae5d579542954588907e6c56da

SHA512
e8205a6c015a63896688e11ab922bb3b8d5250ee7f9bb2a42f6c4ed073187838e21e82ee922aa5bf8ac4826eb903da81a72e0577801df54e5fb9682890198dee

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bd7a968b0f961344d080904ab9e5b2d3

SHA1
7a64e5fca5134e79cff0f7f989de73bca55ca361

SHA256
803d4269d45c131571a5b7d664750caa48d6ed95030642c223d83dd07a12cbe6

SHA512
b1bee8239ab1ccff7124f424f8147a9161e42fc5e8a35f68b26aaaea5e0f4913d910dabf44e8ad13071d90bbbaf4689d0e8a0d028f82898b0d4843870a6069aa

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c73e85826b64a7f905ae201a050cd674

SHA1
ca5250df8d5ba2a6eb0a705d4ac4015d62284fd6

SHA256
862bea7caa4755b7f7c5060a38a3148bb287ae1f6dc61173194b46cc3332e395

SHA512
5f1c7f84514fd80f31c9b5b5d12c97b78a63c77845c18758e94be6d6aff6d1e5232d9df90743d0dd0b6f7dc36c5c08acf9f99ee23cc05cddeef23c989d803781

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
5189db676e506f2074f94a94b25bd05e

SHA1
7e317a71f99bb8c3dbc05c1b15137e4ebacbb84a

SHA256
e4e3f9e8b9abeeb3412d5cbad0c6f83ed5721801c4dd00a27c21c88067c9c2fa

SHA512
a934b3280e25e1c4b0b022884aa1c1db062a25c2f2f029a56814c7ae0db263494f237acb55203a622a4c9d47a0423a09d22c3106ffde060d2ddd24560b260f22

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
55f32c45c334e708f6f761523e6d1fa2

SHA1
daf60f7a4165ebc233e3642adf16ce57fbbab1e9

SHA256
c6b06a49bb8d237d27827432c64aaf60703394448d3199328b8f4c7875f27bd6

SHA512
e05e2b7da920aef6754d32c493fe0d11090d1828441f7b5829a354bfa7377477825ff28d3a6438a9f668b0ce383c5453d87d1d9ee5457a2ec71288fa31cb7584

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
7f73be9c0a6e5f365333df00ca6a25a2

SHA1
68f85ed119bebef9f55e74625e5175d692c91f4c

SHA256
17c97e9f333fa279b0230450c9d3e071f90353482d5866b2cccd00020d2537af

SHA512
718a833e50cd983ea8f0c19e4aa60e7d84a950e04c425d2b24aaec62651c937e6acfc754537af5351d0e0d04ad406b8122dcb9ab200bdb16959b9fa006fee8fa

Download Submit
\Users\Admin\AppData\Local\Temp\1781023611\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
\Users\Admin\AppData\Local\Temp\1781023611\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6e7fe63ffec6badaf111abfac9dba1e5

SHA1
ddec4c220af7bf691db76242a9fd9f5a9789dac7

SHA256
4ec41472907c241b47729fc782b31de9e9f9022bf354014ca079420ce1c56fab

SHA512
0230aa1ed50eb4eec6d4222f2607d13f6141273572457aac683fb9c7bde93e404dfe5e0278e84b4e9d4517640c07db47cd1df2aadb3df4eab0cb4738c42eb19e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a65ebab9d536e6e0fb38998ae96581dc

SHA1
0e54f98b922d7afa78f340e37cf7f35d7f934fea

SHA256
765512f4d9f611b9b23e502e1b859b003bdb3ec6cd9826f64f9882ed92ffb906

SHA512
f6e05c7f3299396601656d171e4b69c648bdbfb2afa64686c267865e3835f65ee017238c80825bd5d11478969056151b423d86c3d10be74ae8b3e2bc4663515a

Download Submit
memory/992-100-0x0000000074901000-0x0000000074903000-memory.dmp

Filesize
8KB

Download
memory/992-98-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads