8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac

Analysis

max time kernel
135s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
Size

72KB
MD5

0ca72daa919b92413e9913c6eac37d78
SHA1

78744d65dd53e548ded505e0ee6078c78e651835
SHA256

8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac
SHA512

0ec011de19510fb9523dfd50c8fe49c477016cb29aec2a30da7561444aa1a375a701f5ade0b63b7ee8e2a3b02f090ca6a3a2b45f3b91c40be543037ce41f44b7
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2m:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPy

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

Executes dropped EXE 64 IoCs

pid	Process
592	backup.exe
596	data.exe
1396	backup.exe
1876	backup.exe
1404	backup.exe
360	backup.exe
1888	backup.exe
1352	backup.exe
572	backup.exe
1784	backup.exe
1948	backup.exe
1612	backup.exe
280	backup.exe
536	data.exe
1820	backup.exe
1760	backup.exe
1732	backup.exe
1304	backup.exe
1592	data.exe
596	backup.exe
1512	backup.exe
776	System Restore.exe
1156	backup.exe
1792	backup.exe
1656	backup.exe
1644	backup.exe
872	backup.exe
1080	backup.exe
1212	System Restore.exe
1352	System Restore.exe
1784	backup.exe
1684	backup.exe
1916	backup.exe
936	backup.exe
1276	backup.exe
1628	backup.exe
1752	backup.exe
1636	backup.exe
688	backup.exe
2008	backup.exe
1740	backup.exe
1596	backup.exe
1624	backup.exe
976	backup.exe
520	backup.exe
1172	backup.exe
1508	data.exe
596	backup.exe
1168	backup.exe
776	backup.exe
1836	backup.exe
1404	backup.exe
1464	backup.exe
1656	update.exe
1700	backup.exe
1668	backup.exe
1960	backup.exe
1368	backup.exe
1756	backup.exe
1692	backup.exe
1736	update.exe
1916	backup.exe
1276	update.exe
1176	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
1888	backup.exe
1888	backup.exe
572	backup.exe
572	backup.exe
1888	backup.exe
1888	backup.exe
1948	backup.exe
1948	backup.exe
1612	backup.exe
1612	backup.exe
1948	backup.exe
1948	backup.exe
536	data.exe
536	data.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
536	data.exe
1888	backup.exe
536	data.exe
1888	backup.exe
1820	backup.exe
1948	backup.exe
1948	backup.exe
1820	backup.exe
1080	backup.exe
1732	backup.exe
1080	backup.exe
1732	backup.exe
1212	System Restore.exe
1212	System Restore.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\ado\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
592	backup.exe
596	data.exe
1396	backup.exe
1876	backup.exe
1404	backup.exe
360	backup.exe
1888	backup.exe
1352	backup.exe
572	backup.exe
1784	backup.exe
1948	backup.exe
1612	backup.exe
280	backup.exe
536	data.exe
1820	backup.exe
1760	backup.exe
1732	backup.exe
1304	backup.exe
1592	data.exe
596	backup.exe
1512	backup.exe
776	System Restore.exe
1156	backup.exe
1792	backup.exe
1656	backup.exe
1644	backup.exe
872	backup.exe
1080	backup.exe
1352	System Restore.exe
1212	System Restore.exe
1684	backup.exe
1916	backup.exe
1784	backup.exe
936	backup.exe
1276	backup.exe
1752	backup.exe
1636	backup.exe
1628	backup.exe
688	backup.exe
2008	backup.exe
1596	backup.exe
520	backup.exe
1740	backup.exe
976	backup.exe
1624	backup.exe
1172	backup.exe
596	backup.exe
1168	backup.exe
1508	data.exe
776	backup.exe
1836	backup.exe
1404	backup.exe
1464	backup.exe
1700	backup.exe
1960	backup.exe
1368	backup.exe
1668	backup.exe
1692	backup.exe
1756	backup.exe
1656	update.exe
1276	update.exe
1736	update.exe
1176	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 592	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	28
PID 960 wrote to memory of 592	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	28
PID 960 wrote to memory of 592	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	28
PID 960 wrote to memory of 592	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	28
PID 960 wrote to memory of 596	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	29
PID 960 wrote to memory of 596	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	29
PID 960 wrote to memory of 596	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	29
PID 960 wrote to memory of 596	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	29
PID 960 wrote to memory of 1396	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	30
PID 960 wrote to memory of 1396	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	30
PID 960 wrote to memory of 1396	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	30
PID 960 wrote to memory of 1396	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	30
PID 960 wrote to memory of 1876	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	31
PID 960 wrote to memory of 1876	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	31
PID 960 wrote to memory of 1876	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	31
PID 960 wrote to memory of 1876	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	31
PID 960 wrote to memory of 1404	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	32
PID 960 wrote to memory of 1404	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	32
PID 960 wrote to memory of 1404	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	32
PID 960 wrote to memory of 1404	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	32
PID 960 wrote to memory of 360	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	33
PID 960 wrote to memory of 360	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	33
PID 960 wrote to memory of 360	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	33
PID 960 wrote to memory of 360	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	33
PID 592 wrote to memory of 1888	592	backup.exe	34
PID 592 wrote to memory of 1888	592	backup.exe	34
PID 592 wrote to memory of 1888	592	backup.exe	34
PID 592 wrote to memory of 1888	592	backup.exe	34
PID 960 wrote to memory of 1352	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	35
PID 960 wrote to memory of 1352	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	35
PID 960 wrote to memory of 1352	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	35
PID 960 wrote to memory of 1352	960	8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe	35
PID 1888 wrote to memory of 572	1888	backup.exe	36
PID 1888 wrote to memory of 572	1888	backup.exe	36
PID 1888 wrote to memory of 572	1888	backup.exe	36
PID 1888 wrote to memory of 572	1888	backup.exe	36
PID 572 wrote to memory of 1784	572	backup.exe	37
PID 572 wrote to memory of 1784	572	backup.exe	37
PID 572 wrote to memory of 1784	572	backup.exe	37
PID 572 wrote to memory of 1784	572	backup.exe	37
PID 1888 wrote to memory of 1948	1888	backup.exe	38
PID 1888 wrote to memory of 1948	1888	backup.exe	38
PID 1888 wrote to memory of 1948	1888	backup.exe	38
PID 1888 wrote to memory of 1948	1888	backup.exe	38
PID 1948 wrote to memory of 1612	1948	backup.exe	39
PID 1948 wrote to memory of 1612	1948	backup.exe	39
PID 1948 wrote to memory of 1612	1948	backup.exe	39
PID 1948 wrote to memory of 1612	1948	backup.exe	39
PID 1612 wrote to memory of 280	1612	backup.exe	40
PID 1612 wrote to memory of 280	1612	backup.exe	40
PID 1612 wrote to memory of 280	1612	backup.exe	40
PID 1612 wrote to memory of 280	1612	backup.exe	40
PID 1948 wrote to memory of 536	1948	backup.exe	41
PID 1948 wrote to memory of 536	1948	backup.exe	41
PID 1948 wrote to memory of 536	1948	backup.exe	41
PID 1948 wrote to memory of 536	1948	backup.exe	41
PID 536 wrote to memory of 1820	536	data.exe	42
PID 536 wrote to memory of 1820	536	data.exe	42
PID 536 wrote to memory of 1820	536	data.exe	42
PID 536 wrote to memory of 1820	536	data.exe	42
PID 1820 wrote to memory of 1760	1820	backup.exe	43
PID 1820 wrote to memory of 1760	1820	backup.exe	43
PID 1820 wrote to memory of 1760	1820	backup.exe	43
PID 1820 wrote to memory of 1760	1820	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c5c0578f8a7b87cda57cc05c6d984e851fbc4dac25d6243c05c3fe7a403c9ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\3848607497\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3848607497\backup.exe C:\Users\Admin\AppData\Local\Temp\3848607497\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1888
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:572
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:280
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:536
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2076
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:704
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:280
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2212
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:700
        
        C:\Program Files\Common Files\System\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\de-DE\data.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1324
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2024
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2068
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2156
    - - C:\Program Files\DVD Maker\System Restore.exe
        
        "C:\Program Files\DVD Maker\System Restore.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1212
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1172
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1176
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1660
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1060
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        System policy modification
        
        PID:1968
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:612
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        System policy modification
        
        PID:1596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:272
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1176
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2180
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        
        PID:704
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1976
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1996
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1724
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2108
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1964
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:1684
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2164
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1080
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2100
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1956
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1012
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1172
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:432
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2036
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1060
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1312
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1508
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1368
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2124
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2116
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:532
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:900
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1624
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:856
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:328
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1376
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:432
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2188
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1248
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1580
    - - C:\Windows\addins\update.exe
        
        C:\Windows\addins\update.exe C:\Windows\addins\
        5⤵
        
        PID:532
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2148
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:596
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:360
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
793b020de13be88e2a3406558e9aaead

SHA1
b74757d1942b7aa3ccb37755c716f92063f70fea

SHA256
0de02b003b60d8bfe5c17fbec985bab4bf2ae58c78377fd46a86d8dd9a41da5f

SHA512
1c334b00e539e202ab13107e17524ffeef4e76c8f62eac1b59482dfa559eb2af705d93b3f5e33a03e556a9757c0469d7b8cef00337c1ee76b054126dea408b8c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
90b8f0c29f5426e61f1b7bc25dfabdd0

SHA1
6bc633879bd36d08ddb50077369335b5e4c00a18

SHA256
bf0a2fc085ab91006b8bd45b35ca0a582335e9e140e96ef8e267bc8d52a5bf32

SHA512
832602699e031f50ea03a1d8a996bdb747019ad7836df2f9f6fb4580ab9a8507855efe446da6e9f2896727217576ed372449ea11e232a288f6c15ab3cf2467cc

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
90b8f0c29f5426e61f1b7bc25dfabdd0

SHA1
6bc633879bd36d08ddb50077369335b5e4c00a18

SHA256
bf0a2fc085ab91006b8bd45b35ca0a582335e9e140e96ef8e267bc8d52a5bf32

SHA512
832602699e031f50ea03a1d8a996bdb747019ad7836df2f9f6fb4580ab9a8507855efe446da6e9f2896727217576ed372449ea11e232a288f6c15ab3cf2467cc

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
e6be87c2a268474d997f94f88655808c

SHA1
c548792040927a1cc9e636640f62e2330ec49444

SHA256
e9a0695ad59a64a413668a86e3639844c4bba178033c7305f1891c9e12290329

SHA512
87726451846b8823ddca2e434dae7bfda54f23b77c8f4229b835467bfddf134f79f2d8f63b8f116cdae8f2e6899d7b62365cbb4317200ab3b534076d3826a873

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6988c2da6dcea8e1caec0664dea9f6ea

SHA1
33afea9e5265ae136478223091175be2d0cd122a

SHA256
71a4a6013ebd1592c81ba5acf9fb24923cf82ae67b938bc0f6579ec2bc979a5e

SHA512
d3709910f554fcab49b623cecf76a38bba09afbd4f6b3f29bbc97763501694675141bac97b1bf1d9c2730cd729a9eedecf62f6928fa4c128482da7cfad427936

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6988c2da6dcea8e1caec0664dea9f6ea

SHA1
33afea9e5265ae136478223091175be2d0cd122a

SHA256
71a4a6013ebd1592c81ba5acf9fb24923cf82ae67b938bc0f6579ec2bc979a5e

SHA512
d3709910f554fcab49b623cecf76a38bba09afbd4f6b3f29bbc97763501694675141bac97b1bf1d9c2730cd729a9eedecf62f6928fa4c128482da7cfad427936

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
35baaec22b0cb8eddb92fbef46092a77

SHA1
f2f8a6fe1e66196bd6befb10619daef6b90e3ddc

SHA256
29d457eb963c56dc2e6ef3b7d51bb358cc2468333e736da028d679fcecb8b678

SHA512
6918d5bb7332e5ebc238289c69ec5ffb08a898cea6340cfe1e205d745e1a5db7a8280b7f67ed05bff806d9194f42637aa4f9a06312458aa7358b7f5e346a039d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
35baaec22b0cb8eddb92fbef46092a77

SHA1
f2f8a6fe1e66196bd6befb10619daef6b90e3ddc

SHA256
29d457eb963c56dc2e6ef3b7d51bb358cc2468333e736da028d679fcecb8b678

SHA512
6918d5bb7332e5ebc238289c69ec5ffb08a898cea6340cfe1e205d745e1a5db7a8280b7f67ed05bff806d9194f42637aa4f9a06312458aa7358b7f5e346a039d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3848607497\backup.exe

Filesize
72KB

MD5
26009de11f3bb31b1abf285052da084e

SHA1
8c65e2759ef1f7cbfe99d74caab8ec3477022178

SHA256
3967dc60f80f8064f323392d068079255665e19f5fc6e5436c6014fda505d18d

SHA512
cfbaa100b8310baba7b8b557dd742c9211e42398f5b1fae288c3b55aa729d9351f4d37335c9b19029acc89cb1b67b04f6da01400a27fb9feee35e757c6bec79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3848607497\backup.exe

Filesize
72KB

MD5
26009de11f3bb31b1abf285052da084e

SHA1
8c65e2759ef1f7cbfe99d74caab8ec3477022178

SHA256
3967dc60f80f8064f323392d068079255665e19f5fc6e5436c6014fda505d18d

SHA512
cfbaa100b8310baba7b8b557dd742c9211e42398f5b1fae288c3b55aa729d9351f4d37335c9b19029acc89cb1b67b04f6da01400a27fb9feee35e757c6bec79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
642ef1cc217979e66c24312cfe903bb8

SHA1
0bbbc9c5f3f41a14b02ad17ad8623e6cd64c7d12

SHA256
cac1b96cb730ea80c6dd6e6301015cda97144569a996ce73210bd861395d9f63

SHA512
8ac06fcd0e8547fb20e09b0ce239d1a82d8180c887179c253acde3dbbce0509a4e5a914e7a7de47f0e836acf50bcd3daa64f6c3a27856825ef4715718f91613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
C:\backup.exe

Filesize
72KB

MD5
88a027e2b9735c672401644504ab3444

SHA1
79a2353a576f959caf9b3e2406877b09620a9676

SHA256
8ca991ae5da2be9ca1074dafd4119c99877675b05c1c8a658f1024871405cf01

SHA512
0aa7593ad3604a3fddd9d0f511bcf4279dc7db45e5123278f1393ef525b3bad3ceabf8256ce89639d4a069c5987e072a77e2e064829a2b03e8b0473d492b4171

Download Submit
C:\backup.exe

Filesize
72KB

MD5
88a027e2b9735c672401644504ab3444

SHA1
79a2353a576f959caf9b3e2406877b09620a9676

SHA256
8ca991ae5da2be9ca1074dafd4119c99877675b05c1c8a658f1024871405cf01

SHA512
0aa7593ad3604a3fddd9d0f511bcf4279dc7db45e5123278f1393ef525b3bad3ceabf8256ce89639d4a069c5987e072a77e2e064829a2b03e8b0473d492b4171

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
793b020de13be88e2a3406558e9aaead

SHA1
b74757d1942b7aa3ccb37755c716f92063f70fea

SHA256
0de02b003b60d8bfe5c17fbec985bab4bf2ae58c78377fd46a86d8dd9a41da5f

SHA512
1c334b00e539e202ab13107e17524ffeef4e76c8f62eac1b59482dfa559eb2af705d93b3f5e33a03e556a9757c0469d7b8cef00337c1ee76b054126dea408b8c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
793b020de13be88e2a3406558e9aaead

SHA1
b74757d1942b7aa3ccb37755c716f92063f70fea

SHA256
0de02b003b60d8bfe5c17fbec985bab4bf2ae58c78377fd46a86d8dd9a41da5f

SHA512
1c334b00e539e202ab13107e17524ffeef4e76c8f62eac1b59482dfa559eb2af705d93b3f5e33a03e556a9757c0469d7b8cef00337c1ee76b054126dea408b8c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
90b8f0c29f5426e61f1b7bc25dfabdd0

SHA1
6bc633879bd36d08ddb50077369335b5e4c00a18

SHA256
bf0a2fc085ab91006b8bd45b35ca0a582335e9e140e96ef8e267bc8d52a5bf32

SHA512
832602699e031f50ea03a1d8a996bdb747019ad7836df2f9f6fb4580ab9a8507855efe446da6e9f2896727217576ed372449ea11e232a288f6c15ab3cf2467cc

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
90b8f0c29f5426e61f1b7bc25dfabdd0

SHA1
6bc633879bd36d08ddb50077369335b5e4c00a18

SHA256
bf0a2fc085ab91006b8bd45b35ca0a582335e9e140e96ef8e267bc8d52a5bf32

SHA512
832602699e031f50ea03a1d8a996bdb747019ad7836df2f9f6fb4580ab9a8507855efe446da6e9f2896727217576ed372449ea11e232a288f6c15ab3cf2467cc

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
e6be87c2a268474d997f94f88655808c

SHA1
c548792040927a1cc9e636640f62e2330ec49444

SHA256
e9a0695ad59a64a413668a86e3639844c4bba178033c7305f1891c9e12290329

SHA512
87726451846b8823ddca2e434dae7bfda54f23b77c8f4229b835467bfddf134f79f2d8f63b8f116cdae8f2e6899d7b62365cbb4317200ab3b534076d3826a873

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
e6be87c2a268474d997f94f88655808c

SHA1
c548792040927a1cc9e636640f62e2330ec49444

SHA256
e9a0695ad59a64a413668a86e3639844c4bba178033c7305f1891c9e12290329

SHA512
87726451846b8823ddca2e434dae7bfda54f23b77c8f4229b835467bfddf134f79f2d8f63b8f116cdae8f2e6899d7b62365cbb4317200ab3b534076d3826a873

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e2f784b9875719583a3e5e7dae517107

SHA1
971b66e64a1d5a110a9935738e80d4c641157ea1

SHA256
69be1bfb8ece5a17991d6fd3318b1257f03571015c247c0fbaa40ef62f26cf0d

SHA512
5d369448e253259990b89cd4cef54bcd4fc8e1b84f710dc1e01432fa9e7eb873a792e377e7bfc172107fbaf11f42445dc3465e0860cdd4102642bc64107706a2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6988c2da6dcea8e1caec0664dea9f6ea

SHA1
33afea9e5265ae136478223091175be2d0cd122a

SHA256
71a4a6013ebd1592c81ba5acf9fb24923cf82ae67b938bc0f6579ec2bc979a5e

SHA512
d3709910f554fcab49b623cecf76a38bba09afbd4f6b3f29bbc97763501694675141bac97b1bf1d9c2730cd729a9eedecf62f6928fa4c128482da7cfad427936

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6988c2da6dcea8e1caec0664dea9f6ea

SHA1
33afea9e5265ae136478223091175be2d0cd122a

SHA256
71a4a6013ebd1592c81ba5acf9fb24923cf82ae67b938bc0f6579ec2bc979a5e

SHA512
d3709910f554fcab49b623cecf76a38bba09afbd4f6b3f29bbc97763501694675141bac97b1bf1d9c2730cd729a9eedecf62f6928fa4c128482da7cfad427936

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
7a6518f893c88eab0b9f3f1338637e4e

SHA1
d477fa585f6192cc026d7afaae5d3da58160f54d

SHA256
b62b26a81ced03e2d06778b415bb29276014446fb23e54df0ef37fb18a46aa9e

SHA512
7331c6b6f43be6ab560c6701ef1fd492b1950b8c1d5ebe149019eddc5f0a416c077629b64e303a486d1df2d7aa873b3768933757666f44772efe1502d2edbf09

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
4c3384430dc11fdfabe191c27d58327a

SHA1
b02732cf4b2666e441cb8931419a90b59ac8145d

SHA256
43ddf2b97f91f2479f115589c103d5b3eab6ee7768783dc59a1a331792f4de71

SHA512
862180e696d77cffadee0dbb22bca37cba9c792bf99a2a13ff554cdc403373c67d3ffcc2d979d9b90540626a0fdfb3f4787b42e518224004541df40dd9fa9159

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
35baaec22b0cb8eddb92fbef46092a77

SHA1
f2f8a6fe1e66196bd6befb10619daef6b90e3ddc

SHA256
29d457eb963c56dc2e6ef3b7d51bb358cc2468333e736da028d679fcecb8b678

SHA512
6918d5bb7332e5ebc238289c69ec5ffb08a898cea6340cfe1e205d745e1a5db7a8280b7f67ed05bff806d9194f42637aa4f9a06312458aa7358b7f5e346a039d

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
35baaec22b0cb8eddb92fbef46092a77

SHA1
f2f8a6fe1e66196bd6befb10619daef6b90e3ddc

SHA256
29d457eb963c56dc2e6ef3b7d51bb358cc2468333e736da028d679fcecb8b678

SHA512
6918d5bb7332e5ebc238289c69ec5ffb08a898cea6340cfe1e205d745e1a5db7a8280b7f67ed05bff806d9194f42637aa4f9a06312458aa7358b7f5e346a039d

Download Submit
\Users\Admin\AppData\Local\Temp\3848607497\backup.exe

Filesize
72KB

MD5
26009de11f3bb31b1abf285052da084e

SHA1
8c65e2759ef1f7cbfe99d74caab8ec3477022178

SHA256
3967dc60f80f8064f323392d068079255665e19f5fc6e5436c6014fda505d18d

SHA512
cfbaa100b8310baba7b8b557dd742c9211e42398f5b1fae288c3b55aa729d9351f4d37335c9b19029acc89cb1b67b04f6da01400a27fb9feee35e757c6bec79c

Download Submit
\Users\Admin\AppData\Local\Temp\3848607497\backup.exe

Filesize
72KB

MD5
26009de11f3bb31b1abf285052da084e

SHA1
8c65e2759ef1f7cbfe99d74caab8ec3477022178

SHA256
3967dc60f80f8064f323392d068079255665e19f5fc6e5436c6014fda505d18d

SHA512
cfbaa100b8310baba7b8b557dd742c9211e42398f5b1fae288c3b55aa729d9351f4d37335c9b19029acc89cb1b67b04f6da01400a27fb9feee35e757c6bec79c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
642ef1cc217979e66c24312cfe903bb8

SHA1
0bbbc9c5f3f41a14b02ad17ad8623e6cd64c7d12

SHA256
cac1b96cb730ea80c6dd6e6301015cda97144569a996ce73210bd861395d9f63

SHA512
8ac06fcd0e8547fb20e09b0ce239d1a82d8180c887179c253acde3dbbce0509a4e5a914e7a7de47f0e836acf50bcd3daa64f6c3a27856825ef4715718f91613c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
642ef1cc217979e66c24312cfe903bb8

SHA1
0bbbc9c5f3f41a14b02ad17ad8623e6cd64c7d12

SHA256
cac1b96cb730ea80c6dd6e6301015cda97144569a996ce73210bd861395d9f63

SHA512
8ac06fcd0e8547fb20e09b0ce239d1a82d8180c887179c253acde3dbbce0509a4e5a914e7a7de47f0e836acf50bcd3daa64f6c3a27856825ef4715718f91613c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b6df88c4fb3cf5de3484e2b58fd8162c

SHA1
861efdba1418cfebcd285241e8d2cb7e3cff7d3d

SHA256
6b8a12a8cab4c17fcfeb76b365f10fc5e19327cba0b0fc6c659ead5bf0c8203a

SHA512
97adc9336993a44a2bdee365999985c5df3c67efb923e0158760eae4491c87c26e55535496db5c6e9b296946cfd9419a8a9b7ff617aa13a06d96ce4acc6eea09

Download Submit
memory/960-108-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/960-130-0x0000000074911000-0x0000000074913000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads