6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da

Analysis

max time kernel
255s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 07:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
Size

72KB
MD5

06fde1b3ba18cbf154e44ac2b5b91fdf
SHA1

28cb90522fc756f6a45ea93305740886f77ddaaa
SHA256

6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da
SHA512

1e53326c315c69b4c8a7eaea637c677bd399dd9bfa42dc7274326aec5f62e75994fc54010458fd3ebaa643e0ad57258739b217e4f740f50f9e536e773927f3a4
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2I:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPc

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 56 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1536	backup.exe
1792	backup.exe
1028	backup.exe
916	backup.exe
1724	data.exe
1896	backup.exe
1116	backup.exe
752	System Restore.exe
1360	backup.exe
1964	backup.exe
1900	backup.exe
960	backup.exe
1012	backup.exe
628	data.exe
1944	backup.exe
1764	update.exe
1796	backup.exe
688	backup.exe
832	backup.exe
336	backup.exe
900	backup.exe
916	backup.exe
584	backup.exe
1592	backup.exe
892	backup.exe
1068	backup.exe
772	backup.exe
1224	backup.exe
1072	System Restore.exe
1904	backup.exe
1232	backup.exe
836	backup.exe
1808	backup.exe
276	backup.exe
108	data.exe
1704	update.exe
1332	backup.exe
1316	backup.exe
1432	backup.exe
568	backup.exe
1608	backup.exe
1604	backup.exe
268	backup.exe
1844	backup.exe
1876	backup.exe
1100	data.exe
900	backup.exe
2028	update.exe
1664	update.exe
1860	backup.exe
1000	backup.exe
1512	backup.exe
1620	backup.exe
1552	backup.exe
1772	backup.exe
848	backup.exe
1524	backup.exe
1836	backup.exe
904	backup.exe
1804	backup.exe
972	backup.exe
1516	backup.exe
1636	backup.exe
1800	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
752	System Restore.exe
752	System Restore.exe
1360	backup.exe
1360	backup.exe
752	System Restore.exe
752	System Restore.exe
1900	backup.exe
1900	backup.exe
960	backup.exe
960	backup.exe
1900	backup.exe
1900	backup.exe
628	data.exe
628	data.exe
1944	backup.exe
1764	update.exe
1764	update.exe
1764	update.exe
1944	backup.exe
1944	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
752	System Restore.exe
628	data.exe
752	System Restore.exe
1900	backup.exe
1900	backup.exe
1796	backup.exe
628	data.exe
1944	backup.exe
1944	backup.exe
1796	backup.exe
1944	backup.exe
752	System Restore.exe
752	System Restore.exe
1944	backup.exe
1796	backup.exe
628	data.exe
1796	backup.exe
628	data.exe
1900	backup.exe
1900	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\data.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\data.exe	update.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\update.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\data.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	System Restore.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\update.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
1536	backup.exe
1792	backup.exe
1028	backup.exe
916	backup.exe
1724	data.exe
1896	backup.exe
1116	backup.exe
752	System Restore.exe
1360	backup.exe
1964	backup.exe
1900	backup.exe
960	backup.exe
1012	backup.exe
628	data.exe
1944	backup.exe
1764	update.exe
1796	backup.exe
688	backup.exe
832	backup.exe
336	backup.exe
900	backup.exe
916	backup.exe
1592	backup.exe
1068	backup.exe
772	backup.exe
892	backup.exe
584	backup.exe
1072	System Restore.exe
1224	backup.exe
836	backup.exe
1232	backup.exe
1904	backup.exe
1808	backup.exe
276	backup.exe
1332	backup.exe
108	data.exe
1704	update.exe
568	backup.exe
1316	backup.exe
1608	backup.exe
1844	backup.exe
1432	backup.exe
1604	backup.exe
268	backup.exe
1876	backup.exe
1100	data.exe
2028	update.exe
1000	backup.exe
1664	update.exe
900	backup.exe
1860	backup.exe
1552	backup.exe
1512	backup.exe
1620	backup.exe
1772	backup.exe
848	backup.exe
972	backup.exe
1836	backup.exe
1636	backup.exe
1524	backup.exe
1516	backup.exe
788	update.exe
1804	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1536	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	28
PID 1240 wrote to memory of 1536	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	28
PID 1240 wrote to memory of 1536	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	28
PID 1240 wrote to memory of 1536	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	28
PID 1240 wrote to memory of 1792	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	29
PID 1240 wrote to memory of 1792	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	29
PID 1240 wrote to memory of 1792	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	29
PID 1240 wrote to memory of 1792	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	29
PID 1240 wrote to memory of 1028	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	30
PID 1240 wrote to memory of 1028	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	30
PID 1240 wrote to memory of 1028	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	30
PID 1240 wrote to memory of 1028	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	30
PID 1240 wrote to memory of 916	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	31
PID 1240 wrote to memory of 916	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	31
PID 1240 wrote to memory of 916	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	31
PID 1240 wrote to memory of 916	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	31
PID 1240 wrote to memory of 1724	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	32
PID 1240 wrote to memory of 1724	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	32
PID 1240 wrote to memory of 1724	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	32
PID 1240 wrote to memory of 1724	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	32
PID 1240 wrote to memory of 1896	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	33
PID 1240 wrote to memory of 1896	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	33
PID 1240 wrote to memory of 1896	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	33
PID 1240 wrote to memory of 1896	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	33
PID 1240 wrote to memory of 1116	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	34
PID 1240 wrote to memory of 1116	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	34
PID 1240 wrote to memory of 1116	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	34
PID 1240 wrote to memory of 1116	1240	6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe	34
PID 1536 wrote to memory of 752	1536	backup.exe	35
PID 1536 wrote to memory of 752	1536	backup.exe	35
PID 1536 wrote to memory of 752	1536	backup.exe	35
PID 1536 wrote to memory of 752	1536	backup.exe	35
PID 752 wrote to memory of 1360	752	System Restore.exe	36
PID 752 wrote to memory of 1360	752	System Restore.exe	36
PID 752 wrote to memory of 1360	752	System Restore.exe	36
PID 752 wrote to memory of 1360	752	System Restore.exe	36
PID 1360 wrote to memory of 1964	1360	backup.exe	37
PID 1360 wrote to memory of 1964	1360	backup.exe	37
PID 1360 wrote to memory of 1964	1360	backup.exe	37
PID 1360 wrote to memory of 1964	1360	backup.exe	37
PID 752 wrote to memory of 1900	752	System Restore.exe	38
PID 752 wrote to memory of 1900	752	System Restore.exe	38
PID 752 wrote to memory of 1900	752	System Restore.exe	38
PID 752 wrote to memory of 1900	752	System Restore.exe	38
PID 1900 wrote to memory of 960	1900	backup.exe	39
PID 1900 wrote to memory of 960	1900	backup.exe	39
PID 1900 wrote to memory of 960	1900	backup.exe	39
PID 1900 wrote to memory of 960	1900	backup.exe	39
PID 960 wrote to memory of 1012	960	backup.exe	40
PID 960 wrote to memory of 1012	960	backup.exe	40
PID 960 wrote to memory of 1012	960	backup.exe	40
PID 960 wrote to memory of 1012	960	backup.exe	40
PID 1900 wrote to memory of 628	1900	backup.exe	41
PID 1900 wrote to memory of 628	1900	backup.exe	41
PID 1900 wrote to memory of 628	1900	backup.exe	41
PID 1900 wrote to memory of 628	1900	backup.exe	41
PID 628 wrote to memory of 1944	628	data.exe	42
PID 628 wrote to memory of 1944	628	data.exe	42
PID 628 wrote to memory of 1944	628	data.exe	42
PID 628 wrote to memory of 1944	628	data.exe	42
PID 1944 wrote to memory of 1764	1944	backup.exe	43
PID 1944 wrote to memory of 1764	1944	backup.exe	43
PID 1944 wrote to memory of 1764	1944	backup.exe	43
PID 1944 wrote to memory of 1764	1944	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe
"C:\Users\Admin\AppData\Local\Temp\6fcf0bb814bf1223c0b5dcd66153e15c07ceab09232a3b98db329aa17efca7da.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\3339796415\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3339796415\backup.exe C:\Users\Admin\AppData\Local\Temp\3339796415\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:752
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1360
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1900
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:960
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1012
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:628
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1400
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:436
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1232
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
      - C:\Program Files\Common Files\System\update.exe
        
        "C:\Program Files\Common Files\System\update.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1972
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1092
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1000
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1624
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1184
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:832
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:188
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:836
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1876
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1860
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Executes dropped EXE
        
        PID:904
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1388
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1192
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:552
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1280
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1772
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1860
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:584
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:524
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:592
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:108
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1224
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1432
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1000
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        
        PID:1800
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1644
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1732
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1984
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:276
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
    - - C:\Windows\AppCompat\update.exe
        
        C:\Windows\AppCompat\update.exe C:\Windows\AppCompat\
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:788
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1360
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1352
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6aabf1c98276646ac3db86b0975b11b6

SHA1
70ed0a1b3b67169cc3708392ec90dcffa1b160e6

SHA256
cb063c5c23cfea1d0995aafffd0b7d5b46ce0947732f20a41e4e8af9a97155ad

SHA512
d8db2b6d11dc8136ed7154cab2115c5361f0d0a482eecd54602ca283a5ab4a9f9db7d1d33ab4e06e579d12c716781f39655066bf3c59937dc3f3ec0e1e286aea

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
866b9dc734498a8965ea0e668765b641

SHA1
59d916ed083c734aeea335341b2b1b080d1b1a49

SHA256
63809b2a5490de80403256680faf5aa271b96f35c994f3712cdb3d1dc11f9aa5

SHA512
e5f5d3f88ce326567b408cc3c528d83ca41684e53436854ccb9dd9caf85ca719b80f35c42a626bd145ed815b417adf866b369a45bec7dab17a776afd86924b3c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
866b9dc734498a8965ea0e668765b641

SHA1
59d916ed083c734aeea335341b2b1b080d1b1a49

SHA256
63809b2a5490de80403256680faf5aa271b96f35c994f3712cdb3d1dc11f9aa5

SHA512
e5f5d3f88ce326567b408cc3c528d83ca41684e53436854ccb9dd9caf85ca719b80f35c42a626bd145ed815b417adf866b369a45bec7dab17a776afd86924b3c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
56faa35bd19eb26366689114003c11f7

SHA1
2de27f7e329623a30ce08ca70924709862e19dd0

SHA256
52c534b3fed9f9c7dd7ad77c36b1f4d91d7d3b8bf8ef5383158209cae0e00661

SHA512
2aa42b7e950f0ef484637335fbec4cefa016d80b0b98e518696642443bb649431ff9baac55af7501e95fd72b6dcc0673dfcdfaf0581b5d1e24e3b96c8da8b3af

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aa83db024887e48505ce5c15429eda77

SHA1
227fb9f4f53d716ab6c6c5922bd5a5f0e9960a3a

SHA256
d14b10928fa0503d1c4934f8bcefcf8fb03fcb9b56f12186475aa847d51db3cb

SHA512
eb0cc6f51296f0c773f2a65c58379c908cfe1c97537e75ddfd39f22a795d9e929585079e2e8970859af9d2fe2dbb8740fd3556181c478f2be74a02f39baa0d39

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aa83db024887e48505ce5c15429eda77

SHA1
227fb9f4f53d716ab6c6c5922bd5a5f0e9960a3a

SHA256
d14b10928fa0503d1c4934f8bcefcf8fb03fcb9b56f12186475aa847d51db3cb

SHA512
eb0cc6f51296f0c773f2a65c58379c908cfe1c97537e75ddfd39f22a795d9e929585079e2e8970859af9d2fe2dbb8740fd3556181c478f2be74a02f39baa0d39

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
4b4f89b169174968c941280b71d0ee1d

SHA1
b7cb9f953254cba5f6da21b431480baabeaf1c6d

SHA256
5ce3df391243e21d6f8913d3f9402bae4ad6f64ff42f4539c1d19b2ccb1d463c

SHA512
56425dc79e67b987ac28919add3835c0752c07b1ef458bf77ff96c1af8f78192a7efb15bb0a3145e51ed1506924f5583045a6e49d7fd88d2ec04f4b4f06dfa0b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8cdbaad993b61ac7efc265ea9cebfa49

SHA1
0e05d59ae32f53134018598be50c4fce23cba123

SHA256
a167285d3043ee9c84cf4bfbddbbc26d4629690cd0d4af8794994bf028b2cc77

SHA512
0b1f38eb282efb76d44f9c0fe6faec6e4776c180b9ec3efab002e78e39eaf017345be29347c045655c07dc93a1bb3108f5ba4ddaae40c2ad3c4e3b0228c11b48

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8cdbaad993b61ac7efc265ea9cebfa49

SHA1
0e05d59ae32f53134018598be50c4fce23cba123

SHA256
a167285d3043ee9c84cf4bfbddbbc26d4629690cd0d4af8794994bf028b2cc77

SHA512
0b1f38eb282efb76d44f9c0fe6faec6e4776c180b9ec3efab002e78e39eaf017345be29347c045655c07dc93a1bb3108f5ba4ddaae40c2ad3c4e3b0228c11b48

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
c475a5c8efe1ef672d69f22688c93672

SHA1
3473a3d09e1b246aac48ec5b6679e28f0d5be2bd

SHA256
4c81e59d9547482ffb7cefe228112326e6dac85bd252ba71359394f4b206c86c

SHA512
48e51c97def774594cf03c7db7ffb55ec223613de948fd9bb8451e738ec47e3169c2fb6f97e0cbce12602a49c517bf8e275cf7c463b71bcb82874ff801bf99cc

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
c475a5c8efe1ef672d69f22688c93672

SHA1
3473a3d09e1b246aac48ec5b6679e28f0d5be2bd

SHA256
4c81e59d9547482ffb7cefe228112326e6dac85bd252ba71359394f4b206c86c

SHA512
48e51c97def774594cf03c7db7ffb55ec223613de948fd9bb8451e738ec47e3169c2fb6f97e0cbce12602a49c517bf8e275cf7c463b71bcb82874ff801bf99cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3339796415\backup.exe

Filesize
72KB

MD5
ae08b835c19296396792e260dbd45430

SHA1
39af842a8f0f4404edd156c65f87219801113ed6

SHA256
ee2c9396cf1b92f07893066401b8d7c32b032ca634fff040f4e20ec831b65cca

SHA512
e7c5d61e7b57be68c9c17ec8d085ab85dfde70e4f9d40a5f2c96a0bfdbd76421a2e15dd41c69f9d2c6fe70b29daf09eff67b25259d7f5304696d10b004e9213c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3339796415\backup.exe

Filesize
72KB

MD5
ae08b835c19296396792e260dbd45430

SHA1
39af842a8f0f4404edd156c65f87219801113ed6

SHA256
ee2c9396cf1b92f07893066401b8d7c32b032ca634fff040f4e20ec831b65cca

SHA512
e7c5d61e7b57be68c9c17ec8d085ab85dfde70e4f9d40a5f2c96a0bfdbd76421a2e15dd41c69f9d2c6fe70b29daf09eff67b25259d7f5304696d10b004e9213c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6aabf1c98276646ac3db86b0975b11b6

SHA1
70ed0a1b3b67169cc3708392ec90dcffa1b160e6

SHA256
cb063c5c23cfea1d0995aafffd0b7d5b46ce0947732f20a41e4e8af9a97155ad

SHA512
d8db2b6d11dc8136ed7154cab2115c5361f0d0a482eecd54602ca283a5ab4a9f9db7d1d33ab4e06e579d12c716781f39655066bf3c59937dc3f3ec0e1e286aea

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
6aabf1c98276646ac3db86b0975b11b6

SHA1
70ed0a1b3b67169cc3708392ec90dcffa1b160e6

SHA256
cb063c5c23cfea1d0995aafffd0b7d5b46ce0947732f20a41e4e8af9a97155ad

SHA512
d8db2b6d11dc8136ed7154cab2115c5361f0d0a482eecd54602ca283a5ab4a9f9db7d1d33ab4e06e579d12c716781f39655066bf3c59937dc3f3ec0e1e286aea

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
866b9dc734498a8965ea0e668765b641

SHA1
59d916ed083c734aeea335341b2b1b080d1b1a49

SHA256
63809b2a5490de80403256680faf5aa271b96f35c994f3712cdb3d1dc11f9aa5

SHA512
e5f5d3f88ce326567b408cc3c528d83ca41684e53436854ccb9dd9caf85ca719b80f35c42a626bd145ed815b417adf866b369a45bec7dab17a776afd86924b3c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
866b9dc734498a8965ea0e668765b641

SHA1
59d916ed083c734aeea335341b2b1b080d1b1a49

SHA256
63809b2a5490de80403256680faf5aa271b96f35c994f3712cdb3d1dc11f9aa5

SHA512
e5f5d3f88ce326567b408cc3c528d83ca41684e53436854ccb9dd9caf85ca719b80f35c42a626bd145ed815b417adf866b369a45bec7dab17a776afd86924b3c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
56faa35bd19eb26366689114003c11f7

SHA1
2de27f7e329623a30ce08ca70924709862e19dd0

SHA256
52c534b3fed9f9c7dd7ad77c36b1f4d91d7d3b8bf8ef5383158209cae0e00661

SHA512
2aa42b7e950f0ef484637335fbec4cefa016d80b0b98e518696642443bb649431ff9baac55af7501e95fd72b6dcc0673dfcdfaf0581b5d1e24e3b96c8da8b3af

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
56faa35bd19eb26366689114003c11f7

SHA1
2de27f7e329623a30ce08ca70924709862e19dd0

SHA256
52c534b3fed9f9c7dd7ad77c36b1f4d91d7d3b8bf8ef5383158209cae0e00661

SHA512
2aa42b7e950f0ef484637335fbec4cefa016d80b0b98e518696642443bb649431ff9baac55af7501e95fd72b6dcc0673dfcdfaf0581b5d1e24e3b96c8da8b3af

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aa83db024887e48505ce5c15429eda77

SHA1
227fb9f4f53d716ab6c6c5922bd5a5f0e9960a3a

SHA256
d14b10928fa0503d1c4934f8bcefcf8fb03fcb9b56f12186475aa847d51db3cb

SHA512
eb0cc6f51296f0c773f2a65c58379c908cfe1c97537e75ddfd39f22a795d9e929585079e2e8970859af9d2fe2dbb8740fd3556181c478f2be74a02f39baa0d39

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aa83db024887e48505ce5c15429eda77

SHA1
227fb9f4f53d716ab6c6c5922bd5a5f0e9960a3a

SHA256
d14b10928fa0503d1c4934f8bcefcf8fb03fcb9b56f12186475aa847d51db3cb

SHA512
eb0cc6f51296f0c773f2a65c58379c908cfe1c97537e75ddfd39f22a795d9e929585079e2e8970859af9d2fe2dbb8740fd3556181c478f2be74a02f39baa0d39

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
4b4f89b169174968c941280b71d0ee1d

SHA1
b7cb9f953254cba5f6da21b431480baabeaf1c6d

SHA256
5ce3df391243e21d6f8913d3f9402bae4ad6f64ff42f4539c1d19b2ccb1d463c

SHA512
56425dc79e67b987ac28919add3835c0752c07b1ef458bf77ff96c1af8f78192a7efb15bb0a3145e51ed1506924f5583045a6e49d7fd88d2ec04f4b4f06dfa0b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
4b4f89b169174968c941280b71d0ee1d

SHA1
b7cb9f953254cba5f6da21b431480baabeaf1c6d

SHA256
5ce3df391243e21d6f8913d3f9402bae4ad6f64ff42f4539c1d19b2ccb1d463c

SHA512
56425dc79e67b987ac28919add3835c0752c07b1ef458bf77ff96c1af8f78192a7efb15bb0a3145e51ed1506924f5583045a6e49d7fd88d2ec04f4b4f06dfa0b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
74ecf78701292d044dd42c6e9348eba7

SHA1
23cb13457c2d97c4d0cdceccb51e1d4140ff5103

SHA256
57387679a067284de78d09d1df748151db583dff20dc9e4c257fcc67515c46b9

SHA512
ec6a0a69f9618b4f87634ac44e160d5b79690ccaaaa79c7881b3f76b21d2f75ec16d177b92c5a5a400759a9fafd05c6854e572dd00f6c23df1d96d67e8801fd9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
4b4f89b169174968c941280b71d0ee1d

SHA1
b7cb9f953254cba5f6da21b431480baabeaf1c6d

SHA256
5ce3df391243e21d6f8913d3f9402bae4ad6f64ff42f4539c1d19b2ccb1d463c

SHA512
56425dc79e67b987ac28919add3835c0752c07b1ef458bf77ff96c1af8f78192a7efb15bb0a3145e51ed1506924f5583045a6e49d7fd88d2ec04f4b4f06dfa0b

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
22ce3ac4c21045a57e986d2612d724a8

SHA1
6411bad3d1fa8f37eb004d5120cafab1f965de1e

SHA256
5fb115ffe41ef651723ab19c189f6d8a236d1b37129c18a0a8e775f575d6ed80

SHA512
e75ab4691306cc8d391fdc75dc31840f929a581c8e5bb9efe099a58d0a4177a68f37d7ecc35b42f4e37456cce80e30f6bd9a2001c0355db251c8c11be25a555b

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
8cdbaad993b61ac7efc265ea9cebfa49

SHA1
0e05d59ae32f53134018598be50c4fce23cba123

SHA256
a167285d3043ee9c84cf4bfbddbbc26d4629690cd0d4af8794994bf028b2cc77

SHA512
0b1f38eb282efb76d44f9c0fe6faec6e4776c180b9ec3efab002e78e39eaf017345be29347c045655c07dc93a1bb3108f5ba4ddaae40c2ad3c4e3b0228c11b48

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
8cdbaad993b61ac7efc265ea9cebfa49

SHA1
0e05d59ae32f53134018598be50c4fce23cba123

SHA256
a167285d3043ee9c84cf4bfbddbbc26d4629690cd0d4af8794994bf028b2cc77

SHA512
0b1f38eb282efb76d44f9c0fe6faec6e4776c180b9ec3efab002e78e39eaf017345be29347c045655c07dc93a1bb3108f5ba4ddaae40c2ad3c4e3b0228c11b48

Download Submit
\Users\Admin\AppData\Local\Temp\3339796415\backup.exe

Filesize
72KB

MD5
ae08b835c19296396792e260dbd45430

SHA1
39af842a8f0f4404edd156c65f87219801113ed6

SHA256
ee2c9396cf1b92f07893066401b8d7c32b032ca634fff040f4e20ec831b65cca

SHA512
e7c5d61e7b57be68c9c17ec8d085ab85dfde70e4f9d40a5f2c96a0bfdbd76421a2e15dd41c69f9d2c6fe70b29daf09eff67b25259d7f5304696d10b004e9213c

Download Submit
\Users\Admin\AppData\Local\Temp\3339796415\backup.exe

Filesize
72KB

MD5
ae08b835c19296396792e260dbd45430

SHA1
39af842a8f0f4404edd156c65f87219801113ed6

SHA256
ee2c9396cf1b92f07893066401b8d7c32b032ca634fff040f4e20ec831b65cca

SHA512
e7c5d61e7b57be68c9c17ec8d085ab85dfde70e4f9d40a5f2c96a0bfdbd76421a2e15dd41c69f9d2c6fe70b29daf09eff67b25259d7f5304696d10b004e9213c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ddfe1c82f9c2871561a0c9db722188ac

SHA1
aae3f10eff2e3b64d71d042d568a7f191e30cb55

SHA256
32cc5b2acdbbd470d0aeb9511157b06a2aa7c0d2fa02da0b4acb18555b330933

SHA512
aed1abcc0c79227d57e4b07a325f3484db42a838fbbb397c03ecfc63f3dd2b6f9ce99ff67ec972d00c90b7ed24d8f7617e772deae5b56c4f9c3dba78e0f5c376

Download Submit
memory/1240-98-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1240-105-0x0000000073FB1000-0x0000000073FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads