2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0

Analysis

max time kernel
155s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
Size

72KB
MD5

031f55ff79a9838d4c8017352423e3ba
SHA1

adf204c0361a0d497a24b74d846c5da1b78de824
SHA256

2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0
SHA512

5c9b9ed26ff0a7cae6525afd4eb96dbf06c307f614d127befbd61379c2a8b64c2082a3354af78f12678f82ca06d7c80a09be306554c3ffee92cd289fdcea7570
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2t:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1200	backup.exe
1736	backup.exe
468	System Restore.exe
1716	data.exe
1312	backup.exe
1596	backup.exe
1116	backup.exe
1104	backup.exe
1872	backup.exe
1320	backup.exe
1568	backup.exe
1920	backup.exe
1556	backup.exe
1536	backup.exe
1860	update.exe
908	backup.exe
852	backup.exe
580	backup.exe
1704	backup.exe
452	backup.exe
1716	data.exe
1732	backup.exe
1000	System Restore.exe
1788	backup.exe
1116	backup.exe
1708	backup.exe
1012	backup.exe
1152	backup.exe
1572	backup.exe
1320	backup.exe
1096	backup.exe
1960	data.exe
1328	data.exe
1628	backup.exe
1552	backup.exe
1004	backup.exe
1652	backup.exe
1948	backup.exe
1804	backup.exe
1332	backup.exe
1748	backup.exe
588	backup.exe
268	backup.exe
1700	backup.exe
1724	backup.exe
544	backup.exe
1696	backup.exe
536	backup.exe
1608	backup.exe
1376	backup.exe
1660	backup.exe
1592	backup.exe
1620	backup.exe
1872	backup.exe
1816	backup.exe
1636	data.exe
1960	backup.exe
984	backup.exe
1328	backup.exe
1820	data.exe
604	backup.exe
1632	backup.exe
1956	backup.exe
1572	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1104	backup.exe
1104	backup.exe
1872	backup.exe
1872	backup.exe
1104	backup.exe
1104	backup.exe
1568	backup.exe
1568	backup.exe
1920	backup.exe
1920	backup.exe
1568	backup.exe
1568	backup.exe
1536	backup.exe
1860	update.exe
1860	update.exe
1860	update.exe
1860	update.exe
1860	update.exe
908	backup.exe
908	backup.exe
908	backup.exe
1860	update.exe
1860	update.exe
852	backup.exe
852	backup.exe
852	backup.exe
852	backup.exe
852	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
852	backup.exe
852	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
852	backup.exe
852	backup.exe
452	backup.exe
452	backup.exe
452	backup.exe
852	backup.exe
852	backup.exe
1716	data.exe
1716	data.exe
1716	data.exe
852	backup.exe
852	backup.exe
1732	backup.exe
1732	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
1200	backup.exe
1736	backup.exe
468	System Restore.exe
1716	data.exe
1312	backup.exe
1596	backup.exe
1116	backup.exe
1104	backup.exe
1872	backup.exe
1320	backup.exe
1568	backup.exe
1920	backup.exe
1556	backup.exe
1536	backup.exe
1860	update.exe
908	backup.exe
852	backup.exe
580	backup.exe
1704	backup.exe
452	backup.exe
1716	data.exe
1732	backup.exe
1000	System Restore.exe
1788	backup.exe
1116	backup.exe
1708	backup.exe
1012	backup.exe
1152	backup.exe
1572	backup.exe
1320	backup.exe
1096	backup.exe
1960	data.exe
1328	data.exe
1628	backup.exe
1552	backup.exe
1004	backup.exe
1652	backup.exe
1948	backup.exe
1804	backup.exe
1332	backup.exe
1748	backup.exe
588	backup.exe
268	backup.exe
1700	backup.exe
1724	backup.exe
544	backup.exe
1696	backup.exe
536	backup.exe
1608	backup.exe
1376	backup.exe
1660	backup.exe
1592	backup.exe
1620	backup.exe
1872	backup.exe
1816	backup.exe
1636	data.exe
1960	backup.exe
1328	backup.exe
984	backup.exe
1820	data.exe
604	backup.exe
1632	backup.exe
1956	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1200	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	27
PID 1396 wrote to memory of 1200	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	27
PID 1396 wrote to memory of 1200	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	27
PID 1396 wrote to memory of 1200	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	27
PID 1396 wrote to memory of 1736	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	28
PID 1396 wrote to memory of 1736	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	28
PID 1396 wrote to memory of 1736	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	28
PID 1396 wrote to memory of 1736	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	28
PID 1396 wrote to memory of 468	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	29
PID 1396 wrote to memory of 468	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	29
PID 1396 wrote to memory of 468	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	29
PID 1396 wrote to memory of 468	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	29
PID 1396 wrote to memory of 1716	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	30
PID 1396 wrote to memory of 1716	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	30
PID 1396 wrote to memory of 1716	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	30
PID 1396 wrote to memory of 1716	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	30
PID 1396 wrote to memory of 1312	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	31
PID 1396 wrote to memory of 1312	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	31
PID 1396 wrote to memory of 1312	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	31
PID 1396 wrote to memory of 1312	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	31
PID 1396 wrote to memory of 1596	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	32
PID 1396 wrote to memory of 1596	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	32
PID 1396 wrote to memory of 1596	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	32
PID 1396 wrote to memory of 1596	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	32
PID 1396 wrote to memory of 1116	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	33
PID 1396 wrote to memory of 1116	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	33
PID 1396 wrote to memory of 1116	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	33
PID 1396 wrote to memory of 1116	1396	2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe	33
PID 1200 wrote to memory of 1104	1200	backup.exe	34
PID 1200 wrote to memory of 1104	1200	backup.exe	34
PID 1200 wrote to memory of 1104	1200	backup.exe	34
PID 1200 wrote to memory of 1104	1200	backup.exe	34
PID 1104 wrote to memory of 1872	1104	backup.exe	35
PID 1104 wrote to memory of 1872	1104	backup.exe	35
PID 1104 wrote to memory of 1872	1104	backup.exe	35
PID 1104 wrote to memory of 1872	1104	backup.exe	35
PID 1872 wrote to memory of 1320	1872	backup.exe	36
PID 1872 wrote to memory of 1320	1872	backup.exe	36
PID 1872 wrote to memory of 1320	1872	backup.exe	36
PID 1872 wrote to memory of 1320	1872	backup.exe	36
PID 1104 wrote to memory of 1568	1104	backup.exe	37
PID 1104 wrote to memory of 1568	1104	backup.exe	37
PID 1104 wrote to memory of 1568	1104	backup.exe	37
PID 1104 wrote to memory of 1568	1104	backup.exe	37
PID 1568 wrote to memory of 1920	1568	backup.exe	38
PID 1568 wrote to memory of 1920	1568	backup.exe	38
PID 1568 wrote to memory of 1920	1568	backup.exe	38
PID 1568 wrote to memory of 1920	1568	backup.exe	38
PID 1920 wrote to memory of 1556	1920	backup.exe	39
PID 1920 wrote to memory of 1556	1920	backup.exe	39
PID 1920 wrote to memory of 1556	1920	backup.exe	39
PID 1920 wrote to memory of 1556	1920	backup.exe	39
PID 1568 wrote to memory of 1536	1568	backup.exe	40
PID 1568 wrote to memory of 1536	1568	backup.exe	40
PID 1568 wrote to memory of 1536	1568	backup.exe	40
PID 1568 wrote to memory of 1536	1568	backup.exe	40
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1536 wrote to memory of 1860	1536	backup.exe	41
PID 1860 wrote to memory of 908	1860	update.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe
"C:\Users\Admin\AppData\Local\Temp\2fc4cc94722e231ff9e4141c2986ce10249a762475e0f8ef1932507255d84be0.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\268079854\backup.exe
  C:\Users\Admin\AppData\Local\Temp\268079854\backup.exe C:\Users\Admin\AppData\Local\Temp\268079854\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1872
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1568
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1920
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1376
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:588
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Drops file in Program Files directory
        
        PID:1828
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1060
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\System\ado\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\System Restore.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:564
        
        C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:604
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:772
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:240
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2044
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:520
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1812
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1736
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1548
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1552
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1964
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:688
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:584
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1588
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:932
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2000
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2004
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1920
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1928
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1832
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1724
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:536
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1880
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:916
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1372
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1660
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1408
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:276
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:112
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1004
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1160
    - - C:\Program Files\Microsoft Games\data.exe
        
        "C:\Program Files\Microsoft Games\data.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1708
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1352
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:952
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1472
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1304
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1764
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1872
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1220
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1316
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:852
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:800
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1584
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1800
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1504
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:976
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1976
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1232
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1700
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1280
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2024
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1768
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1600
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:284
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1804
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:544
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1644
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:828
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1536
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      System policy modification
      PID:1248
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1960
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:780
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1820
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
b18279b9c4c0e91363b582792ee1e6ab

SHA1
fff9f907d9c430201e99d222fe0370bcab9e75bc

SHA256
f118d3cf3c38427ce2eee8666868bdd380edbb7a6fdcc02a757bbf1b84b92968

SHA512
34fe62a24fe5b98a65b16062681529f981e0dcbf4e08a94b7a906f19556713e609fa5df6b4d59d48cebcef0ec6603095b5d72592702f41613f9e03e8dee82467

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\268079854\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\268079854\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8e0c983e782cff600e09ad851662690b

SHA1
eea674deb68d9d0136e029f8c096b558c5c4232e

SHA256
25bf4a587a5a5d99737758d2a08e1fcaa5733b5de29d74cc72c88f739a04532b

SHA512
fb19f84ebc0fd7adffbdf928d6567cf9d46bacdc1b3b7104c3c233de92b158998da2cdb9f6091b30ccf447c8c49fcc27b23c26d9adc3c09bff9732fd71c3c5f5

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8e0c983e782cff600e09ad851662690b

SHA1
eea674deb68d9d0136e029f8c096b558c5c4232e

SHA256
25bf4a587a5a5d99737758d2a08e1fcaa5733b5de29d74cc72c88f739a04532b

SHA512
fb19f84ebc0fd7adffbdf928d6567cf9d46bacdc1b3b7104c3c233de92b158998da2cdb9f6091b30ccf447c8c49fcc27b23c26d9adc3c09bff9732fd71c3c5f5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
b18279b9c4c0e91363b582792ee1e6ab

SHA1
fff9f907d9c430201e99d222fe0370bcab9e75bc

SHA256
f118d3cf3c38427ce2eee8666868bdd380edbb7a6fdcc02a757bbf1b84b92968

SHA512
34fe62a24fe5b98a65b16062681529f981e0dcbf4e08a94b7a906f19556713e609fa5df6b4d59d48cebcef0ec6603095b5d72592702f41613f9e03e8dee82467

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
b18279b9c4c0e91363b582792ee1e6ab

SHA1
fff9f907d9c430201e99d222fe0370bcab9e75bc

SHA256
f118d3cf3c38427ce2eee8666868bdd380edbb7a6fdcc02a757bbf1b84b92968

SHA512
34fe62a24fe5b98a65b16062681529f981e0dcbf4e08a94b7a906f19556713e609fa5df6b4d59d48cebcef0ec6603095b5d72592702f41613f9e03e8dee82467

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0faac3bf93d30cc2bee3692740508ce3

SHA1
cbbb0425ea01b332540fc9f6e92be0e85364344e

SHA256
4cd052e7746f30202922ebb39dc8f72e93cb044ed4a3f85f697db861ca6eabc5

SHA512
1141d4330a078b7b1a991615e646a5a35f175e3c70dea55b0d5fa58e7bfab688e2ccb3f5bafd1566eaa11bd312e4c993a0dcfc8aae8498230187bd062eee3aa4

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
b70ca817d39303d731ac99f8879c9ed9

SHA1
fc8539e17d6ecb98f372d14360f18e63c32dab68

SHA256
132ff516cec8e99d8d7edae0b7d6c4a2f3fb39e1af7cb28b53c51a16271610d9

SHA512
7c7abf850ee8c24163dead49dc9e898792fefd060e91901aa37d6fc922388b87abfb14a4a35bec7baff913a9660d52b11db4043cbe7e04e11c78fedc72f99570

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
10b7ef7d5d28cb909651cc80cde63811

SHA1
83171efcaae529b5239adb3660b8ea94261726ab

SHA256
4dd2a8ca96115d4cf6fffb48561e2ac9b0ff136a7bc58c1d0c11e238b81524b9

SHA512
857e124ecced995c704144079cdc540a4205dc1227c73b9bfd0e296ed8a9c0e1c40a9d56db205594c79ccbc4c393ccbdecd61c5e82369a5b8f2b51d574ddf750

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
fbc3081161baf49c354d31346d41fd0f

SHA1
f1c806573499cb79a4a8936899cfd0f1e4bd70ae

SHA256
79393ee0d15295c01a46d23186d9dbc322e3c3de1ca65ac5555808f1c8920df2

SHA512
4fae96a06013989964baa72fecc828d8d1b117035cb90cdafbb21c60ff5033cdb06abe71b9f45e22db9f65389351f0dc989e56b5e59de3ed8b42feba4a3835c2

Download Submit
\Users\Admin\AppData\Local\Temp\268079854\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\268079854\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b2cc8ff914e780e9e48128a3b73f1e3a

SHA1
d4efd48db1fcb84249e6602603af6828b9c50f51

SHA256
7a0aab0c4e21dc17ebdbf294618e220f88a10955238aee2b2fbb96e1e08a4c0f

SHA512
6119aaec337b5af30ca055e9cb593b81ddddca74b41d36ebeaf61c185bc8ac0b2a35fe7945250faa6eb3a34f34ccf23856a6c9da5d6397d2b213ea52160e0bda

Download Submit
memory/1396-125-0x0000000073F61000-0x0000000073F63000-memory.dmp

Filesize
8KB

Download
memory/1396-98-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads