1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
Size

72KB
MD5

06dca3531509d8fd2aebc6c2dc35f8a6
SHA1

fd42bfced0ab54b27d6c5bc3066a4309e9e25c72
SHA256

1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18
SHA512

acea56bfbf5cfba1354dbe755c4af1ddb53e56fc9711c4df04527e1ac0809d3704a779a544eee9dde657c732bd58ede9233a6824e25765f316adb59ebdb83332
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2x:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPF

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	backup.exe
1032	backup.exe
700	backup.exe
320	backup.exe
652	backup.exe
1528	data.exe
1576	System Restore.exe
860	backup.exe
1108	backup.exe
1984	backup.exe
1948	backup.exe
1544	backup.exe
1368	backup.exe
1660	backup.exe
1244	backup.exe
2044	backup.exe
904	backup.exe
1624	backup.exe
1476	backup.exe
640	backup.exe
1708	data.exe
1512	backup.exe
1832	backup.exe
984	backup.exe
1684	backup.exe
1184	backup.exe
1648	backup.exe
1504	backup.exe
1972	backup.exe
1964	System Restore.exe
1784	backup.exe
472	backup.exe
560	backup.exe
2020	backup.exe
1740	backup.exe
360	backup.exe
832	backup.exe
1988	backup.exe
1072	backup.exe
1208	backup.exe
2044	backup.exe
276	backup.exe
1712	backup.exe
676	update.exe
780	backup.exe
1472	backup.exe
640	backup.exe
1708	backup.exe
1928	backup.exe
1568	backup.exe
1128	backup.exe
1892	backup.exe
840	backup.exe
2024	backup.exe
1896	backup.exe
1976	backup.exe
1968	backup.exe
1080	update.exe
1904	backup.exe
1364	backup.exe
1932	backup.exe
1900	backup.exe
1368	backup.exe
1012	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
860	backup.exe
860	backup.exe
1108	backup.exe
1108	backup.exe
860	backup.exe
860	backup.exe
1948	backup.exe
1948	backup.exe
1544	backup.exe
1544	backup.exe
1948	backup.exe
1948	backup.exe
1660	backup.exe
1660	backup.exe
1244	backup.exe
1244	backup.exe
1244	backup.exe
1244	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
904	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
1288	backup.exe
1032	backup.exe
700	backup.exe
320	backup.exe
652	backup.exe
1528	data.exe
1576	System Restore.exe
860	backup.exe
1108	backup.exe
1984	backup.exe
1948	backup.exe
1544	backup.exe
1368	backup.exe
1660	backup.exe
1244	backup.exe
2044	backup.exe
904	backup.exe
1624	backup.exe
1476	backup.exe
640	backup.exe
1708	data.exe
1512	backup.exe
1832	backup.exe
984	backup.exe
1684	backup.exe
1184	backup.exe
1648	backup.exe
1504	backup.exe
1972	backup.exe
1964	System Restore.exe
1784	backup.exe
472	backup.exe
560	backup.exe
2020	backup.exe
1740	backup.exe
360	backup.exe
832	backup.exe
1988	backup.exe
1072	backup.exe
1208	backup.exe
2044	backup.exe
276	backup.exe
1712	backup.exe
676	update.exe
780	backup.exe
1472	backup.exe
640	backup.exe
1708	backup.exe
1928	backup.exe
1568	backup.exe
1128	backup.exe
1892	backup.exe
840	backup.exe
2024	backup.exe
1896	backup.exe
1976	backup.exe
1968	backup.exe
1080	update.exe
1904	backup.exe
1364	backup.exe
1932	backup.exe
1900	backup.exe
1368	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1288	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	27
PID 952 wrote to memory of 1288	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	27
PID 952 wrote to memory of 1288	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	27
PID 952 wrote to memory of 1288	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	27
PID 952 wrote to memory of 1032	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	28
PID 952 wrote to memory of 1032	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	28
PID 952 wrote to memory of 1032	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	28
PID 952 wrote to memory of 1032	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	28
PID 952 wrote to memory of 700	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	29
PID 952 wrote to memory of 700	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	29
PID 952 wrote to memory of 700	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	29
PID 952 wrote to memory of 700	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	29
PID 952 wrote to memory of 320	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	30
PID 952 wrote to memory of 320	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	30
PID 952 wrote to memory of 320	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	30
PID 952 wrote to memory of 320	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	30
PID 952 wrote to memory of 652	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	31
PID 952 wrote to memory of 652	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	31
PID 952 wrote to memory of 652	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	31
PID 952 wrote to memory of 652	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	31
PID 952 wrote to memory of 1528	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	32
PID 952 wrote to memory of 1528	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	32
PID 952 wrote to memory of 1528	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	32
PID 952 wrote to memory of 1528	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	32
PID 952 wrote to memory of 1576	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	33
PID 952 wrote to memory of 1576	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	33
PID 952 wrote to memory of 1576	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	33
PID 952 wrote to memory of 1576	952	1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe	33
PID 1288 wrote to memory of 860	1288	backup.exe	34
PID 1288 wrote to memory of 860	1288	backup.exe	34
PID 1288 wrote to memory of 860	1288	backup.exe	34
PID 1288 wrote to memory of 860	1288	backup.exe	34
PID 860 wrote to memory of 1108	860	backup.exe	35
PID 860 wrote to memory of 1108	860	backup.exe	35
PID 860 wrote to memory of 1108	860	backup.exe	35
PID 860 wrote to memory of 1108	860	backup.exe	35
PID 1108 wrote to memory of 1984	1108	backup.exe	36
PID 1108 wrote to memory of 1984	1108	backup.exe	36
PID 1108 wrote to memory of 1984	1108	backup.exe	36
PID 1108 wrote to memory of 1984	1108	backup.exe	36
PID 860 wrote to memory of 1948	860	backup.exe	37
PID 860 wrote to memory of 1948	860	backup.exe	37
PID 860 wrote to memory of 1948	860	backup.exe	37
PID 860 wrote to memory of 1948	860	backup.exe	37
PID 1948 wrote to memory of 1544	1948	backup.exe	38
PID 1948 wrote to memory of 1544	1948	backup.exe	38
PID 1948 wrote to memory of 1544	1948	backup.exe	38
PID 1948 wrote to memory of 1544	1948	backup.exe	38
PID 1544 wrote to memory of 1368	1544	backup.exe	39
PID 1544 wrote to memory of 1368	1544	backup.exe	39
PID 1544 wrote to memory of 1368	1544	backup.exe	39
PID 1544 wrote to memory of 1368	1544	backup.exe	39
PID 1948 wrote to memory of 1660	1948	backup.exe	40
PID 1948 wrote to memory of 1660	1948	backup.exe	40
PID 1948 wrote to memory of 1660	1948	backup.exe	40
PID 1948 wrote to memory of 1660	1948	backup.exe	40
PID 1660 wrote to memory of 1244	1660	backup.exe	41
PID 1660 wrote to memory of 1244	1660	backup.exe	41
PID 1660 wrote to memory of 1244	1660	backup.exe	41
PID 1660 wrote to memory of 1244	1660	backup.exe	41
PID 1244 wrote to memory of 2044	1244	backup.exe	42
PID 1244 wrote to memory of 2044	1244	backup.exe	42
PID 1244 wrote to memory of 2044	1244	backup.exe	42
PID 1244 wrote to memory of 2044	1244	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe
"C:\Users\Admin\AppData\Local\Temp\1e6a72580f93951c1ed9efb806ad61ab703ee46c6c7d403d8a69581fd007db18.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\3145570234\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3145570234\backup.exe C:\Users\Admin\AppData\Local\Temp\3145570234\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1288
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1108
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:780
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1680
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1976
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2020
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1368
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:988
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1028
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1036
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2000
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1936
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1808
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1512
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1004
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1512
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:1528
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1768
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1068
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1720
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1988
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:764
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:2008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1144
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1680
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1068
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:276
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1892
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1508
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:320
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1888
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1640
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1908
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:360
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        
        PID:1488
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1480
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1644
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:996
    - - C:\Program Files\MSBuild\update.exe
        
        "C:\Program Files\MSBuild\update.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1144
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1196
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:868
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1708
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1104
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:828
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1956
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1440
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1460
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1152
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:844
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1664
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1184
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1556
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:700
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:652
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc646384eff2437244fb25f5b2dbe465

SHA1
fd769faa1f8c0b4c2cea3b0c872045f5f0bd03c8

SHA256
cc865755653505eb04259f8cb379dca762b6b3763cf41266e377efd8f1821fd6

SHA512
7c66a856c7cefa795a51dd9477185ab2fa83e6ce300b4b8817706f36c52ac931e7dcbdaf89dabf97adbb20c832afc675c4cd6bdbb3ccac829f4b2e983faec1e8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
36206890dd34ddc4f527c26707a18e3e

SHA1
21ec0ccdd1c9442bcc1fb61209335572af2b42da

SHA256
092a859e14438733d61dc3b5481dc7fb413ed44d63eb621140c082497ad35f64

SHA512
97d34553f30c2bcc1950bc7da2d5b4c3c08611d274961225b707833b237bed5c5212a32357a68a6cae32ff498b9ae1332d256e22cf7778e240b5532fece1f56e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
36206890dd34ddc4f527c26707a18e3e

SHA1
21ec0ccdd1c9442bcc1fb61209335572af2b42da

SHA256
092a859e14438733d61dc3b5481dc7fb413ed44d63eb621140c082497ad35f64

SHA512
97d34553f30c2bcc1950bc7da2d5b4c3c08611d274961225b707833b237bed5c5212a32357a68a6cae32ff498b9ae1332d256e22cf7778e240b5532fece1f56e

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
dc37cd41faf6935c2f39768d5da2374c

SHA1
877c2e4ea2e2d1ede63dd3bf99a56bb352dcbb66

SHA256
ca332e68939ee677ebf6c76a5874f048dbd7264d997c3591e46e9b3665928747

SHA512
57fd26207635161e31628ce25402867803fba2b515cc3f5718dd727c2a31181839bf254435233e8c6a89d788751613909a8072cbccef18d66f530f448b747af1

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
73db4778f76d6a658c7802c95c124302

SHA1
83f8780bdb6d72ae0fa53a3bc448a7c9938a36ab

SHA256
c62325b7b6421fb5ed8cf8e9807ef88ea649a065a14202edab1385e82085946d

SHA512
1bb5bc8d9e5ed80264bd6bd1619cfec37f222b488790ff39ba96870bf036dbe5558ef4b06d2e7b5f29915437b8713a9240c3b42fd4f5b0953e21c2c2b527219b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
73db4778f76d6a658c7802c95c124302

SHA1
83f8780bdb6d72ae0fa53a3bc448a7c9938a36ab

SHA256
c62325b7b6421fb5ed8cf8e9807ef88ea649a065a14202edab1385e82085946d

SHA512
1bb5bc8d9e5ed80264bd6bd1619cfec37f222b488790ff39ba96870bf036dbe5558ef4b06d2e7b5f29915437b8713a9240c3b42fd4f5b0953e21c2c2b527219b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c9239b92a93318e49036daf6754ecc08

SHA1
4fb353dc4c22ff5f848cf002fd13e886c611bb67

SHA256
7f432eb3f544f53faa6d7a79c06abc2059fda0445ddcde17c2c98d6fa6dc5dbb

SHA512
f22701665d668442432e4c4993c041612af2dd894c9489003e613fdb6616557b0c53e1f040a9f60d01ced633904b76f2720c851d8b3e1ae2c7fbc249baf99740

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4d28623087b194f4d201fc82663b92a0

SHA1
c80f66f7e7d1510b69a19fa2b7435cd85c9ba66d

SHA256
570c718366388a7f8ecffba4ea97936628b9d092ae74c7f62f7619532a7a7b4e

SHA512
ee8df945917abbf7958f763243f8deca6034d716a482b77491bf22ccd77f3b22cf6f277e74f95b5eec8f10b954200bb58c8359e2e3968dea9dfce0ebc46339fe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4d28623087b194f4d201fc82663b92a0

SHA1
c80f66f7e7d1510b69a19fa2b7435cd85c9ba66d

SHA256
570c718366388a7f8ecffba4ea97936628b9d092ae74c7f62f7619532a7a7b4e

SHA512
ee8df945917abbf7958f763243f8deca6034d716a482b77491bf22ccd77f3b22cf6f277e74f95b5eec8f10b954200bb58c8359e2e3968dea9dfce0ebc46339fe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c56ff35e8580f1331335f3fc747fe792

SHA1
5b7a2b9a80f29e59cd3dff93d79e2cd4daef9a93

SHA256
93b4bf9df31edda0605b0ac99422e8461dfd5be952d84a6ee7277ce3ba14d5a1

SHA512
1a6828d05b0152187b38fdff6f6e675ef074eec018b9976fe06e0ceaaee4decf5c65d3395595a6d73292c44382a3163fdae1b670aec3822b728865e08f4407e1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c56ff35e8580f1331335f3fc747fe792

SHA1
5b7a2b9a80f29e59cd3dff93d79e2cd4daef9a93

SHA256
93b4bf9df31edda0605b0ac99422e8461dfd5be952d84a6ee7277ce3ba14d5a1

SHA512
1a6828d05b0152187b38fdff6f6e675ef074eec018b9976fe06e0ceaaee4decf5c65d3395595a6d73292c44382a3163fdae1b670aec3822b728865e08f4407e1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
030db1d4462e829286451a0761406353

SHA1
6d8cc3a4ae5f76b0f9d59ea85162b3c03f48237f

SHA256
ffef387870770687e20f59e8e85e40dd74ab17be0213f7b05a02695b80856306

SHA512
fa5b7a8e8a60a886734d06c495715be873f16d29607079c871aee7e6bfcc2d366d8165205eb18b83c3db0b7857700bb5a8e45ed25d5db22c40b74788f726ed28

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
030db1d4462e829286451a0761406353

SHA1
6d8cc3a4ae5f76b0f9d59ea85162b3c03f48237f

SHA256
ffef387870770687e20f59e8e85e40dd74ab17be0213f7b05a02695b80856306

SHA512
fa5b7a8e8a60a886734d06c495715be873f16d29607079c871aee7e6bfcc2d366d8165205eb18b83c3db0b7857700bb5a8e45ed25d5db22c40b74788f726ed28

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7748469bf0ba648d0c5100d3bc25e660

SHA1
a1025fc1d00ff8c1f42e53861ab35d011f87051c

SHA256
8ae7851b34df64094fbf13fac258e81f796896eb3721f37ef29dcb1cfe17a8bf

SHA512
f4eb1fbd5a24e3a572ccb1df70f04a8fb8269849abfa74fe689de26b93563067f902e337ace860b20d5d839e28583a7218b434ae0065eded1f26c19f39e7f1cb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7748469bf0ba648d0c5100d3bc25e660

SHA1
a1025fc1d00ff8c1f42e53861ab35d011f87051c

SHA256
8ae7851b34df64094fbf13fac258e81f796896eb3721f37ef29dcb1cfe17a8bf

SHA512
f4eb1fbd5a24e3a572ccb1df70f04a8fb8269849abfa74fe689de26b93563067f902e337ace860b20d5d839e28583a7218b434ae0065eded1f26c19f39e7f1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3145570234\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\3145570234\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
C:\backup.exe

Filesize
72KB

MD5
588a64fa8b06fed47e38dffe2d45355d

SHA1
25f44e1616a33996550baa5bec568e063803e43e

SHA256
4c87666d6a8554f5393f32b997a96aaa5bd9ea6d7e4c9fe0e098ec9238d89dce

SHA512
8a78d814a6ff9a4b6b328215f217a96e10cf7ccc3d9208f09a6c781f7ded8e0a3a7d184da398ca89da8ad378c23d32703cf8de51dffce5ed659b4c2d815cba3b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
588a64fa8b06fed47e38dffe2d45355d

SHA1
25f44e1616a33996550baa5bec568e063803e43e

SHA256
4c87666d6a8554f5393f32b997a96aaa5bd9ea6d7e4c9fe0e098ec9238d89dce

SHA512
8a78d814a6ff9a4b6b328215f217a96e10cf7ccc3d9208f09a6c781f7ded8e0a3a7d184da398ca89da8ad378c23d32703cf8de51dffce5ed659b4c2d815cba3b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc646384eff2437244fb25f5b2dbe465

SHA1
fd769faa1f8c0b4c2cea3b0c872045f5f0bd03c8

SHA256
cc865755653505eb04259f8cb379dca762b6b3763cf41266e377efd8f1821fd6

SHA512
7c66a856c7cefa795a51dd9477185ab2fa83e6ce300b4b8817706f36c52ac931e7dcbdaf89dabf97adbb20c832afc675c4cd6bdbb3ccac829f4b2e983faec1e8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc646384eff2437244fb25f5b2dbe465

SHA1
fd769faa1f8c0b4c2cea3b0c872045f5f0bd03c8

SHA256
cc865755653505eb04259f8cb379dca762b6b3763cf41266e377efd8f1821fd6

SHA512
7c66a856c7cefa795a51dd9477185ab2fa83e6ce300b4b8817706f36c52ac931e7dcbdaf89dabf97adbb20c832afc675c4cd6bdbb3ccac829f4b2e983faec1e8

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
36206890dd34ddc4f527c26707a18e3e

SHA1
21ec0ccdd1c9442bcc1fb61209335572af2b42da

SHA256
092a859e14438733d61dc3b5481dc7fb413ed44d63eb621140c082497ad35f64

SHA512
97d34553f30c2bcc1950bc7da2d5b4c3c08611d274961225b707833b237bed5c5212a32357a68a6cae32ff498b9ae1332d256e22cf7778e240b5532fece1f56e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
36206890dd34ddc4f527c26707a18e3e

SHA1
21ec0ccdd1c9442bcc1fb61209335572af2b42da

SHA256
092a859e14438733d61dc3b5481dc7fb413ed44d63eb621140c082497ad35f64

SHA512
97d34553f30c2bcc1950bc7da2d5b4c3c08611d274961225b707833b237bed5c5212a32357a68a6cae32ff498b9ae1332d256e22cf7778e240b5532fece1f56e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
dc37cd41faf6935c2f39768d5da2374c

SHA1
877c2e4ea2e2d1ede63dd3bf99a56bb352dcbb66

SHA256
ca332e68939ee677ebf6c76a5874f048dbd7264d997c3591e46e9b3665928747

SHA512
57fd26207635161e31628ce25402867803fba2b515cc3f5718dd727c2a31181839bf254435233e8c6a89d788751613909a8072cbccef18d66f530f448b747af1

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
dc37cd41faf6935c2f39768d5da2374c

SHA1
877c2e4ea2e2d1ede63dd3bf99a56bb352dcbb66

SHA256
ca332e68939ee677ebf6c76a5874f048dbd7264d997c3591e46e9b3665928747

SHA512
57fd26207635161e31628ce25402867803fba2b515cc3f5718dd727c2a31181839bf254435233e8c6a89d788751613909a8072cbccef18d66f530f448b747af1

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
73db4778f76d6a658c7802c95c124302

SHA1
83f8780bdb6d72ae0fa53a3bc448a7c9938a36ab

SHA256
c62325b7b6421fb5ed8cf8e9807ef88ea649a065a14202edab1385e82085946d

SHA512
1bb5bc8d9e5ed80264bd6bd1619cfec37f222b488790ff39ba96870bf036dbe5558ef4b06d2e7b5f29915437b8713a9240c3b42fd4f5b0953e21c2c2b527219b

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
73db4778f76d6a658c7802c95c124302

SHA1
83f8780bdb6d72ae0fa53a3bc448a7c9938a36ab

SHA256
c62325b7b6421fb5ed8cf8e9807ef88ea649a065a14202edab1385e82085946d

SHA512
1bb5bc8d9e5ed80264bd6bd1619cfec37f222b488790ff39ba96870bf036dbe5558ef4b06d2e7b5f29915437b8713a9240c3b42fd4f5b0953e21c2c2b527219b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c9239b92a93318e49036daf6754ecc08

SHA1
4fb353dc4c22ff5f848cf002fd13e886c611bb67

SHA256
7f432eb3f544f53faa6d7a79c06abc2059fda0445ddcde17c2c98d6fa6dc5dbb

SHA512
f22701665d668442432e4c4993c041612af2dd894c9489003e613fdb6616557b0c53e1f040a9f60d01ced633904b76f2720c851d8b3e1ae2c7fbc249baf99740

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c9239b92a93318e49036daf6754ecc08

SHA1
4fb353dc4c22ff5f848cf002fd13e886c611bb67

SHA256
7f432eb3f544f53faa6d7a79c06abc2059fda0445ddcde17c2c98d6fa6dc5dbb

SHA512
f22701665d668442432e4c4993c041612af2dd894c9489003e613fdb6616557b0c53e1f040a9f60d01ced633904b76f2720c851d8b3e1ae2c7fbc249baf99740

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4d28623087b194f4d201fc82663b92a0

SHA1
c80f66f7e7d1510b69a19fa2b7435cd85c9ba66d

SHA256
570c718366388a7f8ecffba4ea97936628b9d092ae74c7f62f7619532a7a7b4e

SHA512
ee8df945917abbf7958f763243f8deca6034d716a482b77491bf22ccd77f3b22cf6f277e74f95b5eec8f10b954200bb58c8359e2e3968dea9dfce0ebc46339fe

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4d28623087b194f4d201fc82663b92a0

SHA1
c80f66f7e7d1510b69a19fa2b7435cd85c9ba66d

SHA256
570c718366388a7f8ecffba4ea97936628b9d092ae74c7f62f7619532a7a7b4e

SHA512
ee8df945917abbf7958f763243f8deca6034d716a482b77491bf22ccd77f3b22cf6f277e74f95b5eec8f10b954200bb58c8359e2e3968dea9dfce0ebc46339fe

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c56ff35e8580f1331335f3fc747fe792

SHA1
5b7a2b9a80f29e59cd3dff93d79e2cd4daef9a93

SHA256
93b4bf9df31edda0605b0ac99422e8461dfd5be952d84a6ee7277ce3ba14d5a1

SHA512
1a6828d05b0152187b38fdff6f6e675ef074eec018b9976fe06e0ceaaee4decf5c65d3395595a6d73292c44382a3163fdae1b670aec3822b728865e08f4407e1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
c56ff35e8580f1331335f3fc747fe792

SHA1
5b7a2b9a80f29e59cd3dff93d79e2cd4daef9a93

SHA256
93b4bf9df31edda0605b0ac99422e8461dfd5be952d84a6ee7277ce3ba14d5a1

SHA512
1a6828d05b0152187b38fdff6f6e675ef074eec018b9976fe06e0ceaaee4decf5c65d3395595a6d73292c44382a3163fdae1b670aec3822b728865e08f4407e1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
32d358c915160698567a3fe44a2f709a

SHA1
4a7f5834946a6c8b2078293800f064a8b3c45065

SHA256
7f3e3975047ec6125d40689c57d704d432fc975b1350801e95cbbb3a09a6dfc2

SHA512
bdc40ec9ea95ced0842a1db6e0e1cdce333d2d237380d5f92c3fb226fb2fc08f2f2bb427d8eadd751df93af8c6dce2204670e151d0335c1fa8479bed29025423

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
030db1d4462e829286451a0761406353

SHA1
6d8cc3a4ae5f76b0f9d59ea85162b3c03f48237f

SHA256
ffef387870770687e20f59e8e85e40dd74ab17be0213f7b05a02695b80856306

SHA512
fa5b7a8e8a60a886734d06c495715be873f16d29607079c871aee7e6bfcc2d366d8165205eb18b83c3db0b7857700bb5a8e45ed25d5db22c40b74788f726ed28

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
030db1d4462e829286451a0761406353

SHA1
6d8cc3a4ae5f76b0f9d59ea85162b3c03f48237f

SHA256
ffef387870770687e20f59e8e85e40dd74ab17be0213f7b05a02695b80856306

SHA512
fa5b7a8e8a60a886734d06c495715be873f16d29607079c871aee7e6bfcc2d366d8165205eb18b83c3db0b7857700bb5a8e45ed25d5db22c40b74788f726ed28

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7748469bf0ba648d0c5100d3bc25e660

SHA1
a1025fc1d00ff8c1f42e53861ab35d011f87051c

SHA256
8ae7851b34df64094fbf13fac258e81f796896eb3721f37ef29dcb1cfe17a8bf

SHA512
f4eb1fbd5a24e3a572ccb1df70f04a8fb8269849abfa74fe689de26b93563067f902e337ace860b20d5d839e28583a7218b434ae0065eded1f26c19f39e7f1cb

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
7748469bf0ba648d0c5100d3bc25e660

SHA1
a1025fc1d00ff8c1f42e53861ab35d011f87051c

SHA256
8ae7851b34df64094fbf13fac258e81f796896eb3721f37ef29dcb1cfe17a8bf

SHA512
f4eb1fbd5a24e3a572ccb1df70f04a8fb8269849abfa74fe689de26b93563067f902e337ace860b20d5d839e28583a7218b434ae0065eded1f26c19f39e7f1cb

Download Submit
\Users\Admin\AppData\Local\Temp\3145570234\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\3145570234\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
f0593f90b5469f469f5f3c04109ae111

SHA1
d150c7639e9647d60bb4ca2bb340b4d14734f399

SHA256
ad8cad76340c5d4e0683cf0945f7dea43e13458948a16ba4f0bf3fad82bdea71

SHA512
678fb9a6e4f6282f540d7bd5fedc8b4e1cfbb89128a2bd328a91db12b5f966809f2a9ec6dbe818a37d321b2dfb732c35612584c767d4eeb585a5e2b4cd9e0122

Download Submit
memory/952-98-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/952-170-0x00000000743F1000-0x00000000743F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads