d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7

Analysis

max time kernel
116s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
Size

72KB
MD5

a613e484580ba9d6c5c279e5e73d349a
SHA1

27f91089468ab2ebdffeaee0eead98eaf8022fc5
SHA256

d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7
SHA512

db4b2eba89cd823c9257daaeb0a00b518e4da970c7b5cd61e06fb59f2807222ffe0ae94afc31fc40915c9ab484f6967e15215d358f35bb5933e7cc232f730b51
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2n:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
632	backup.exe
1188	backup.exe
1492	backup.exe
596	backup.exe
900	backup.exe
548	backup.exe
1308	backup.exe
936	backup.exe
1752	backup.exe
1552	backup.exe
1120	backup.exe
296	backup.exe
680	update.exe
668	backup.exe
1560	update.exe
1620	backup.exe
852	backup.exe
572	backup.exe
524	backup.exe
1476	backup.exe
1888	backup.exe
656	backup.exe
1856	backup.exe
836	backup.exe
1308	backup.exe
1272	System Restore.exe
1836	backup.exe
1124	backup.exe
316	backup.exe
436	backup.exe
944	backup.exe
296	backup.exe
1168	backup.exe
2044	update.exe
916	backup.exe
2004	backup.exe
1480	backup.exe
1588	backup.exe
1528	backup.exe
1584	backup.exe
692	backup.exe
872	backup.exe
1420	backup.exe
1596	backup.exe
696	data.exe
844	backup.exe
780	update.exe
1556	backup.exe
1940	backup.exe
1664	backup.exe
1376	backup.exe
1548	backup.exe
1804	backup.exe
1956	backup.exe
1540	backup.exe
296	backup.exe
1168	backup.exe
2044	backup.exe
1760	backup.exe
1616	backup.exe
1728	backup.exe
1588	backup.exe
1032	backup.exe
972	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1188	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1188	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
596	backup.exe
596	backup.exe
1188	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1188	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1752	backup.exe
1752	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
1120	backup.exe
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
680	update.exe
680	update.exe
680	update.exe
1752	backup.exe
1752	backup.exe
668	backup.exe
1560	update.exe
1560	update.exe
1560	update.exe
1560	update.exe
1560	update.exe
1620	backup.exe
1620	backup.exe
1620	backup.exe
1560	update.exe
1560	update.exe
852	backup.exe
852	backup.exe
852	backup.exe
852	backup.exe
852	backup.exe
572	backup.exe
572	backup.exe
572	backup.exe
852	backup.exe
852	backup.exe
524	backup.exe
524	backup.exe
524	backup.exe
852	backup.exe
852	backup.exe
1476	backup.exe
1476	backup.exe
1476	backup.exe
852	backup.exe
852	backup.exe
1888	backup.exe
1888	backup.exe
1888	backup.exe
852	backup.exe
852	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe	backup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
632	backup.exe
1188	backup.exe
1492	backup.exe
900	backup.exe
596	backup.exe
548	backup.exe
1308	backup.exe
936	backup.exe
1752	backup.exe
1552	backup.exe
1120	backup.exe
296	backup.exe
680	update.exe
668	backup.exe
1560	update.exe
1620	backup.exe
852	backup.exe
572	backup.exe
524	backup.exe
1476	backup.exe
1888	backup.exe
656	backup.exe
1856	backup.exe
836	backup.exe
1308	backup.exe
1272	System Restore.exe
1836	backup.exe
1124	backup.exe
316	backup.exe
436	backup.exe
944	backup.exe
296	backup.exe
1168	backup.exe
2044	update.exe
916	backup.exe
1480	backup.exe
1588	backup.exe
1528	backup.exe
1584	backup.exe
692	backup.exe
872	backup.exe
1420	backup.exe
1596	backup.exe
696	data.exe
844	backup.exe
780	update.exe
1556	backup.exe
1940	backup.exe
1664	backup.exe
1376	backup.exe
1548	backup.exe
1804	backup.exe
1956	backup.exe
1540	backup.exe
296	backup.exe
1168	backup.exe
2044	backup.exe
1760	backup.exe
1616	backup.exe
1728	backup.exe
1588	backup.exe
1032	backup.exe
972	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 632	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	28
PID 1388 wrote to memory of 632	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	28
PID 1388 wrote to memory of 632	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	28
PID 1388 wrote to memory of 632	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	28
PID 632 wrote to memory of 1188	632	backup.exe	29
PID 632 wrote to memory of 1188	632	backup.exe	29
PID 632 wrote to memory of 1188	632	backup.exe	29
PID 632 wrote to memory of 1188	632	backup.exe	29
PID 1388 wrote to memory of 1492	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	30
PID 1388 wrote to memory of 1492	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	30
PID 1388 wrote to memory of 1492	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	30
PID 1388 wrote to memory of 1492	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	30
PID 1188 wrote to memory of 596	1188	backup.exe	31
PID 1188 wrote to memory of 596	1188	backup.exe	31
PID 1188 wrote to memory of 596	1188	backup.exe	31
PID 1188 wrote to memory of 596	1188	backup.exe	31
PID 1388 wrote to memory of 900	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	32
PID 1388 wrote to memory of 900	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	32
PID 1388 wrote to memory of 900	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	32
PID 1388 wrote to memory of 900	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	32
PID 1388 wrote to memory of 1308	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	33
PID 1388 wrote to memory of 1308	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	33
PID 1388 wrote to memory of 1308	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	33
PID 1388 wrote to memory of 1308	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	33
PID 596 wrote to memory of 548	596	backup.exe	34
PID 596 wrote to memory of 548	596	backup.exe	34
PID 596 wrote to memory of 548	596	backup.exe	34
PID 596 wrote to memory of 548	596	backup.exe	34
PID 1388 wrote to memory of 936	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	35
PID 1388 wrote to memory of 936	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	35
PID 1388 wrote to memory of 936	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	35
PID 1388 wrote to memory of 936	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	35
PID 1188 wrote to memory of 1752	1188	backup.exe	36
PID 1188 wrote to memory of 1752	1188	backup.exe	36
PID 1188 wrote to memory of 1752	1188	backup.exe	36
PID 1188 wrote to memory of 1752	1188	backup.exe	36
PID 1388 wrote to memory of 1552	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	37
PID 1388 wrote to memory of 1552	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	37
PID 1388 wrote to memory of 1552	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	37
PID 1388 wrote to memory of 1552	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	37
PID 1752 wrote to memory of 1120	1752	backup.exe	38
PID 1752 wrote to memory of 1120	1752	backup.exe	38
PID 1752 wrote to memory of 1120	1752	backup.exe	38
PID 1752 wrote to memory of 1120	1752	backup.exe	38
PID 1388 wrote to memory of 296	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	39
PID 1388 wrote to memory of 296	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	39
PID 1388 wrote to memory of 296	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	39
PID 1388 wrote to memory of 296	1388	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe	39
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1120 wrote to memory of 680	1120	backup.exe	40
PID 1752 wrote to memory of 668	1752	backup.exe	41
PID 1752 wrote to memory of 668	1752	backup.exe	41
PID 1752 wrote to memory of 668	1752	backup.exe	41
PID 1752 wrote to memory of 668	1752	backup.exe	41
PID 668 wrote to memory of 1560	668	backup.exe	42
PID 668 wrote to memory of 1560	668	backup.exe	42
PID 668 wrote to memory of 1560	668	backup.exe	42
PID 668 wrote to memory of 1560	668	backup.exe	42
PID 668 wrote to memory of 1560	668	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe
"C:\Users\Admin\AppData\Local\Temp\d8aba7dddb17c72f7a82dd887807ceaf7207379cd9d04b9e25c9bb8f8abceed7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388
- C:\Users\Admin\AppData\Local\Temp\4087837275\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4087837275\backup.exe C:\Users\Admin\AppData\Local\Temp\4087837275\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1188
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:548
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:680
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:668
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1028
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:788
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1420
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:956
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1940
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1348
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1192
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1648
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:896
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1488
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:924
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2028
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1768
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:780
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1636
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1140
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:588
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:680
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1888
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System policy modification
        
        PID:436
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1536
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1272
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1620
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1584
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1520
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:828
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1588
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:852
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1696
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1136
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:2032
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:692
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1236
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1192
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:844
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1420
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:692
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1188
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:788
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2044
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        System policy modification
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:924
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1592
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1500
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1324
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:980
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1756
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:544
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1884
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:568
      - C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1948
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1168
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Disables RegEdit via registry modification
        
        PID:368
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1228
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:640
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1996
    - - C:\Program Files (x86)\Internet Explorer\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\update.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:616
    - - C:\Program Files (x86)\Microsoft Analysis Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1720
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:548
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2004
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1656
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1884
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1584
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1780
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1624
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        System policy modification
        
        PID:1720
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:820
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1144
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1308
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1324
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1620
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:112
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:616
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1828
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:340
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:820
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:972
      - C:\Windows\AppPatch\en-US\update.exe
        
        C:\Windows\AppPatch\en-US\update.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1920
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1584
    - - C:\Windows\Branding\System Restore.exe
        
        "C:\Windows\Branding\System Restore.exe" C:\Windows\Branding\
        5⤵
        
        PID:1888
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1040
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:936
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
862c9efdb5dc4da82d8369245a844c50

SHA1
3c7a29ee7c21e62c391564119dce0ed88e7f7230

SHA256
294e16c7b9d955af43813508482545959257b31d067303d81eabcc7c30407e3a

SHA512
79a79a528c36e30af33ba260d19e68d4586a6f5c4e5742b12c0e21a7c57e5c27c8ca2d0d204a683b78faaf9539276233858b9986e528d7d3283c502dc0454e80

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
ea9afbc63e460f7b2fa5c1841879fc64

SHA1
0c648e22ee71e5ab821b8b95fcf033a7bdf832bc

SHA256
79d9240ce965737129e2c2a6b4d230ec5cb48af8b99a58cec657f9e53d7a0346

SHA512
f56fd12c1953a2a4263d13bd3799ece942f9172418c3119bc180e2634bdcb820135409a95791f94562fa4049bbc256ecd0a7cd370608d6ede5ab485bb760a725

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
ea9afbc63e460f7b2fa5c1841879fc64

SHA1
0c648e22ee71e5ab821b8b95fcf033a7bdf832bc

SHA256
79d9240ce965737129e2c2a6b4d230ec5cb48af8b99a58cec657f9e53d7a0346

SHA512
f56fd12c1953a2a4263d13bd3799ece942f9172418c3119bc180e2634bdcb820135409a95791f94562fa4049bbc256ecd0a7cd370608d6ede5ab485bb760a725

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
85821ab316d6a478d1015d31e759de95

SHA1
b48d1bc906fdf4ee92f92a1d80916bdf0709d1fd

SHA256
308a48a43fd7d3f58881c9721f697a574c7298faed167f6da93d39da7371b14d

SHA512
f20e818dac0a525c0745951bf0414ba1dac38f5549f5bf79fdfdc69ecd60021cac6178cacbfa812b066068347bb49204df08c22a260eff04c47fba2211c50805

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
85821ab316d6a478d1015d31e759de95

SHA1
b48d1bc906fdf4ee92f92a1d80916bdf0709d1fd

SHA256
308a48a43fd7d3f58881c9721f697a574c7298faed167f6da93d39da7371b14d

SHA512
f20e818dac0a525c0745951bf0414ba1dac38f5549f5bf79fdfdc69ecd60021cac6178cacbfa812b066068347bb49204df08c22a260eff04c47fba2211c50805

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
de2dcb46c2f3e7452c81f73ddfa4ca40

SHA1
1f92b7e2850a4bce5ae322142f364183a43d0da9

SHA256
d9dd95458f81f4d5a48e151f745cc2adfdac70997cf506704327566625b8c1b4

SHA512
2fe63cbe7ce9b03be0ac5082ee7cda1c35255ec9ddcbcd69c9f073283ed648fd1e84f8e92ab2bc6de21457d615de950c6216b0788664434d86d2b52da4a898b0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
de2dcb46c2f3e7452c81f73ddfa4ca40

SHA1
1f92b7e2850a4bce5ae322142f364183a43d0da9

SHA256
d9dd95458f81f4d5a48e151f745cc2adfdac70997cf506704327566625b8c1b4

SHA512
2fe63cbe7ce9b03be0ac5082ee7cda1c35255ec9ddcbcd69c9f073283ed648fd1e84f8e92ab2bc6de21457d615de950c6216b0788664434d86d2b52da4a898b0

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2635d7ec92e43d6a02bd9d1bca3408ab

SHA1
651cd5465819e6a3cbd28f8125ecd07ce8622b48

SHA256
b61613c667eb0f75a5b19340951bca4299da9597a7db4dea878e967b61e4a319

SHA512
90c6e45d7e7ed5ebe9642baa2e748eb9cfbdddf35a91c1117c14561c4422d1cdbf0439094fe9a5d24d30ae3791fa25d5e53f89a2b84024d9ada03884f4d7719b

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2635d7ec92e43d6a02bd9d1bca3408ab

SHA1
651cd5465819e6a3cbd28f8125ecd07ce8622b48

SHA256
b61613c667eb0f75a5b19340951bca4299da9597a7db4dea878e967b61e4a319

SHA512
90c6e45d7e7ed5ebe9642baa2e748eb9cfbdddf35a91c1117c14561c4422d1cdbf0439094fe9a5d24d30ae3791fa25d5e53f89a2b84024d9ada03884f4d7719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4087837275\backup.exe

Filesize
72KB

MD5
37e7f7cfb7d58d7dc472d9ae1eedf978

SHA1
e6f13d1406f8d225f38290de810f193fc2cc416b

SHA256
c9237f74686ddd995adb166f8753f1dc8d0bc6fb6fd373b011c28dff0ea705fb

SHA512
ebc775cab4c0f2f69e3956d8f7340e9c703018bee66e6ffe1ee348f3ca0505b795585f1ab798037361be7070e982da00898fcedfce29949db845ad5e44e25496

Download Submit
C:\Users\Admin\AppData\Local\Temp\4087837275\backup.exe

Filesize
72KB

MD5
37e7f7cfb7d58d7dc472d9ae1eedf978

SHA1
e6f13d1406f8d225f38290de810f193fc2cc416b

SHA256
c9237f74686ddd995adb166f8753f1dc8d0bc6fb6fd373b011c28dff0ea705fb

SHA512
ebc775cab4c0f2f69e3956d8f7340e9c703018bee66e6ffe1ee348f3ca0505b795585f1ab798037361be7070e982da00898fcedfce29949db845ad5e44e25496

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
1c0b789c2aee763fdeaa1639644b1892

SHA1
b4592c0375f705df46451fa7ab75cef78559df13

SHA256
cedbb9aeb96100b53b3c9e4e67dcf75b5ca372aad7c54e2c5035f2baa6c7275e

SHA512
cd067ccf19bc7144e740e829bdf8d11a770c000915be874c4034caa88bed8351f14f6f5f17cb43fb867039f88fce9b69bd68af884ed60105f1ec75b9153406c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c63dd0db712fe229e1b68e41b9474943

SHA1
a1ed6ae83f4fde4140e938462dbbfaf9579c96d8

SHA256
d2429419edc38235c8a2d556f7bbbdd359795ba9b1383636effde9a267b056cc

SHA512
08e096587152b049c39beb9cd4850c9b21eb553cdd43246f42c633aca19e84dcdb33e31cb52ddf5da57eac9e8ffcbe86a5fa94fe01044b9646ee635b144ce6e1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c63dd0db712fe229e1b68e41b9474943

SHA1
a1ed6ae83f4fde4140e938462dbbfaf9579c96d8

SHA256
d2429419edc38235c8a2d556f7bbbdd359795ba9b1383636effde9a267b056cc

SHA512
08e096587152b049c39beb9cd4850c9b21eb553cdd43246f42c633aca19e84dcdb33e31cb52ddf5da57eac9e8ffcbe86a5fa94fe01044b9646ee635b144ce6e1

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
862c9efdb5dc4da82d8369245a844c50

SHA1
3c7a29ee7c21e62c391564119dce0ed88e7f7230

SHA256
294e16c7b9d955af43813508482545959257b31d067303d81eabcc7c30407e3a

SHA512
79a79a528c36e30af33ba260d19e68d4586a6f5c4e5742b12c0e21a7c57e5c27c8ca2d0d204a683b78faaf9539276233858b9986e528d7d3283c502dc0454e80

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
862c9efdb5dc4da82d8369245a844c50

SHA1
3c7a29ee7c21e62c391564119dce0ed88e7f7230

SHA256
294e16c7b9d955af43813508482545959257b31d067303d81eabcc7c30407e3a

SHA512
79a79a528c36e30af33ba260d19e68d4586a6f5c4e5742b12c0e21a7c57e5c27c8ca2d0d204a683b78faaf9539276233858b9986e528d7d3283c502dc0454e80

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
ea9afbc63e460f7b2fa5c1841879fc64

SHA1
0c648e22ee71e5ab821b8b95fcf033a7bdf832bc

SHA256
79d9240ce965737129e2c2a6b4d230ec5cb48af8b99a58cec657f9e53d7a0346

SHA512
f56fd12c1953a2a4263d13bd3799ece942f9172418c3119bc180e2634bdcb820135409a95791f94562fa4049bbc256ecd0a7cd370608d6ede5ab485bb760a725

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
ea9afbc63e460f7b2fa5c1841879fc64

SHA1
0c648e22ee71e5ab821b8b95fcf033a7bdf832bc

SHA256
79d9240ce965737129e2c2a6b4d230ec5cb48af8b99a58cec657f9e53d7a0346

SHA512
f56fd12c1953a2a4263d13bd3799ece942f9172418c3119bc180e2634bdcb820135409a95791f94562fa4049bbc256ecd0a7cd370608d6ede5ab485bb760a725

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
c5eeb7c0ccd344f37ca61ba5fde590aa

SHA1
400cd0b4bc35bc7a4bc8d2c5c8543290a0a58938

SHA256
b4f2cf76fab7e942650166cd7a162bb31c1a83bca5e416e1ea3a87dad211144e

SHA512
697274cb529bcb8e230aba72143ae24fd9d3981a52eb860882731f59ba97608b0e8ef524803dcde3b968775cd3511f2614b651edad5c3c036be5240e9b65c060

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
85821ab316d6a478d1015d31e759de95

SHA1
b48d1bc906fdf4ee92f92a1d80916bdf0709d1fd

SHA256
308a48a43fd7d3f58881c9721f697a574c7298faed167f6da93d39da7371b14d

SHA512
f20e818dac0a525c0745951bf0414ba1dac38f5549f5bf79fdfdc69ecd60021cac6178cacbfa812b066068347bb49204df08c22a260eff04c47fba2211c50805

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
85821ab316d6a478d1015d31e759de95

SHA1
b48d1bc906fdf4ee92f92a1d80916bdf0709d1fd

SHA256
308a48a43fd7d3f58881c9721f697a574c7298faed167f6da93d39da7371b14d

SHA512
f20e818dac0a525c0745951bf0414ba1dac38f5549f5bf79fdfdc69ecd60021cac6178cacbfa812b066068347bb49204df08c22a260eff04c47fba2211c50805

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d897e4d83c974804305333d21122581f

SHA1
75548a941e1aea63b7bf355ce2e038132c687952

SHA256
39e79803e16238e25b4f07ea89941584c261344b00cb2a0a641fa429b1c2223f

SHA512
aaed788e822e5b736bdd396b93b7f443f13b5e319f307d1d8b35d99e0248045bd2eca6d5453c69f64d1089adc1a7cae84216051eeba27594ffb74aaa23388faf

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
4538881704838ac34cecdd13771701f9

SHA1
ed3582a423ae1f6b98d3d43efaadc06c8c14bd7a

SHA256
74b96251180939ef488c7ec1ae287421781c576adc28bf3fe68010cb1e27a055

SHA512
41abac3e19a9321d06f8bbbea195ffc1d3120a71da553cad3705bed6bd9c31f9e4d3f17129703f89392a1d314b10005dc168e613e5cafac511001e69eab4541c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
de2dcb46c2f3e7452c81f73ddfa4ca40

SHA1
1f92b7e2850a4bce5ae322142f364183a43d0da9

SHA256
d9dd95458f81f4d5a48e151f745cc2adfdac70997cf506704327566625b8c1b4

SHA512
2fe63cbe7ce9b03be0ac5082ee7cda1c35255ec9ddcbcd69c9f073283ed648fd1e84f8e92ab2bc6de21457d615de950c6216b0788664434d86d2b52da4a898b0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
de2dcb46c2f3e7452c81f73ddfa4ca40

SHA1
1f92b7e2850a4bce5ae322142f364183a43d0da9

SHA256
d9dd95458f81f4d5a48e151f745cc2adfdac70997cf506704327566625b8c1b4

SHA512
2fe63cbe7ce9b03be0ac5082ee7cda1c35255ec9ddcbcd69c9f073283ed648fd1e84f8e92ab2bc6de21457d615de950c6216b0788664434d86d2b52da4a898b0

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2635d7ec92e43d6a02bd9d1bca3408ab

SHA1
651cd5465819e6a3cbd28f8125ecd07ce8622b48

SHA256
b61613c667eb0f75a5b19340951bca4299da9597a7db4dea878e967b61e4a319

SHA512
90c6e45d7e7ed5ebe9642baa2e748eb9cfbdddf35a91c1117c14561c4422d1cdbf0439094fe9a5d24d30ae3791fa25d5e53f89a2b84024d9ada03884f4d7719b

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2635d7ec92e43d6a02bd9d1bca3408ab

SHA1
651cd5465819e6a3cbd28f8125ecd07ce8622b48

SHA256
b61613c667eb0f75a5b19340951bca4299da9597a7db4dea878e967b61e4a319

SHA512
90c6e45d7e7ed5ebe9642baa2e748eb9cfbdddf35a91c1117c14561c4422d1cdbf0439094fe9a5d24d30ae3791fa25d5e53f89a2b84024d9ada03884f4d7719b

Download Submit
\Users\Admin\AppData\Local\Temp\4087837275\backup.exe

Filesize
72KB

MD5
37e7f7cfb7d58d7dc472d9ae1eedf978

SHA1
e6f13d1406f8d225f38290de810f193fc2cc416b

SHA256
c9237f74686ddd995adb166f8753f1dc8d0bc6fb6fd373b011c28dff0ea705fb

SHA512
ebc775cab4c0f2f69e3956d8f7340e9c703018bee66e6ffe1ee348f3ca0505b795585f1ab798037361be7070e982da00898fcedfce29949db845ad5e44e25496

Download Submit
\Users\Admin\AppData\Local\Temp\4087837275\backup.exe

Filesize
72KB

MD5
37e7f7cfb7d58d7dc472d9ae1eedf978

SHA1
e6f13d1406f8d225f38290de810f193fc2cc416b

SHA256
c9237f74686ddd995adb166f8753f1dc8d0bc6fb6fd373b011c28dff0ea705fb

SHA512
ebc775cab4c0f2f69e3956d8f7340e9c703018bee66e6ffe1ee348f3ca0505b795585f1ab798037361be7070e982da00898fcedfce29949db845ad5e44e25496

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
1c0b789c2aee763fdeaa1639644b1892

SHA1
b4592c0375f705df46451fa7ab75cef78559df13

SHA256
cedbb9aeb96100b53b3c9e4e67dcf75b5ca372aad7c54e2c5035f2baa6c7275e

SHA512
cd067ccf19bc7144e740e829bdf8d11a770c000915be874c4034caa88bed8351f14f6f5f17cb43fb867039f88fce9b69bd68af884ed60105f1ec75b9153406c1

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
1c0b789c2aee763fdeaa1639644b1892

SHA1
b4592c0375f705df46451fa7ab75cef78559df13

SHA256
cedbb9aeb96100b53b3c9e4e67dcf75b5ca372aad7c54e2c5035f2baa6c7275e

SHA512
cd067ccf19bc7144e740e829bdf8d11a770c000915be874c4034caa88bed8351f14f6f5f17cb43fb867039f88fce9b69bd68af884ed60105f1ec75b9153406c1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
38e8301c8bea3a6e3f924b946e62fa4d

SHA1
3331b84eedc1b0251c6399af89d137c1d2cc16a0

SHA256
5f5c4663dec32e96ec319fb5283c9f673b4c5fa68ae8b34f1fb1e0e3d5782660

SHA512
2f822067ad6d4818ab30d718800e25d979645dbfd44b0a92aa7c482b1dc8975ccb65b693b27733641214dc9cbe6929e294d057df7f90194206fa8444b007c841

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
77442ee07578c9d5092d77ce158bb43d

SHA1
57b7ced505473a6b00b72b770fd9862b0620ea85

SHA256
2c0743eec01beddcc8db48c3bf267eaf4223af6242c94dd40dcf1a5d1d07d4de

SHA512
d5a273cbca90a5af5d9e4f43447cb2359b5021ec240f6fa1c7e89041676e5fd85ab7bbc171b52802e93ee07657f020f1bd409e5faead9c99d121b133cfefe7a1

Download Submit
memory/680-135-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1388-170-0x0000000074621000-0x0000000074623000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads