3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
Size

72KB
MD5

6690d84459d4b06041f5cdd15e0aeec8
SHA1

8b21f417b2c8846acfb5f74c36af48d4c8bd1316
SHA256

3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff
SHA512

e8df2ab63d68d8cb4f8b76da8d3ee63e2662933cd9fe602c4901fc3d6e031300bc5006b2df74b4dd04aa637e0fe584edb88dc9c04a131fce1ee01c362759f3b5
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGI:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrd

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1928	backup.exe
1556	backup.exe
1940	backup.exe
1284	backup.exe
1116	backup.exe
1728	backup.exe
1732	backup.exe
1352	backup.exe
552	data.exe
1484	backup.exe
1688	backup.exe
1064	update.exe
1360	backup.exe
1868	backup.exe
1152	backup.exe
828	backup.exe
1788	backup.exe
1820	backup.exe
1444	backup.exe
1324	backup.exe
1304	backup.exe
1344	backup.exe
960	backup.exe
1244	backup.exe
1776	backup.exe
1136	backup.exe
1708	backup.exe
1592	backup.exe
1716	backup.exe
1864	backup.exe
548	backup.exe
1596	backup.exe
1696	backup.exe
552	backup.exe
1964	backup.exe
1960	backup.exe
1828	backup.exe
568	backup.exe
832	backup.exe
1692	backup.exe
1064	data.exe
472	backup.exe
584	backup.exe
1560	backup.exe
1292	backup.exe
1936	data.exe
792	backup.exe
1820	backup.exe
844	backup.exe
1324	backup.exe
1304	backup.exe
1344	backup.exe
960	backup.exe
1116	backup.exe
1776	backup.exe
1748	backup.exe
1708	backup.exe
1592	backup.exe
1816	backup.exe
1476	backup.exe
1040	backup.exe
1484	backup.exe
1068	backup.exe
2040	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
1352	backup.exe
1352	backup.exe
552	data.exe
552	data.exe
1352	backup.exe
1352	backup.exe
1688	backup.exe
1064	update.exe
1064	update.exe
1064	update.exe
1064	update.exe
1064	update.exe
1360	backup.exe
1360	backup.exe
1360	backup.exe
1688	backup.exe
1688	backup.exe
1868	backup.exe
1868	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1716	backup.exe
1716	backup.exe
1716	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	update.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
1928	backup.exe
1556	backup.exe
1940	backup.exe
1284	backup.exe
1116	backup.exe
1728	backup.exe
1732	backup.exe
1352	backup.exe
552	data.exe
1484	backup.exe
1688	backup.exe
1064	update.exe
1360	backup.exe
1868	backup.exe
1152	backup.exe
828	backup.exe
1788	backup.exe
1820	backup.exe
1444	backup.exe
1324	backup.exe
1304	backup.exe
1344	backup.exe
960	backup.exe
1244	backup.exe
1776	backup.exe
1136	backup.exe
1708	backup.exe
1592	backup.exe
1716	backup.exe
1864	backup.exe
548	backup.exe
1596	backup.exe
1696	backup.exe
552	backup.exe
1964	backup.exe
1960	backup.exe
1828	backup.exe
568	backup.exe
832	backup.exe
1692	backup.exe
1064	data.exe
472	backup.exe
584	backup.exe
1560	backup.exe
1292	backup.exe
1936	data.exe
792	backup.exe
1820	backup.exe
844	backup.exe
1324	backup.exe
1304	backup.exe
1344	backup.exe
960	backup.exe
1116	backup.exe
1776	backup.exe
1748	backup.exe
1708	backup.exe
1592	backup.exe
1816	backup.exe
1476	backup.exe
1040	backup.exe
1484	backup.exe
1068	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1928	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	27
PID 704 wrote to memory of 1928	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	27
PID 704 wrote to memory of 1928	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	27
PID 704 wrote to memory of 1928	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	27
PID 704 wrote to memory of 1556	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	28
PID 704 wrote to memory of 1556	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	28
PID 704 wrote to memory of 1556	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	28
PID 704 wrote to memory of 1556	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	28
PID 704 wrote to memory of 1940	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	29
PID 704 wrote to memory of 1940	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	29
PID 704 wrote to memory of 1940	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	29
PID 704 wrote to memory of 1940	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	29
PID 704 wrote to memory of 1284	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	30
PID 704 wrote to memory of 1284	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	30
PID 704 wrote to memory of 1284	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	30
PID 704 wrote to memory of 1284	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	30
PID 704 wrote to memory of 1116	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	31
PID 704 wrote to memory of 1116	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	31
PID 704 wrote to memory of 1116	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	31
PID 704 wrote to memory of 1116	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	31
PID 704 wrote to memory of 1728	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	32
PID 704 wrote to memory of 1728	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	32
PID 704 wrote to memory of 1728	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	32
PID 704 wrote to memory of 1728	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	32
PID 704 wrote to memory of 1732	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	33
PID 704 wrote to memory of 1732	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	33
PID 704 wrote to memory of 1732	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	33
PID 704 wrote to memory of 1732	704	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe	33
PID 1928 wrote to memory of 1352	1928	backup.exe	34
PID 1928 wrote to memory of 1352	1928	backup.exe	34
PID 1928 wrote to memory of 1352	1928	backup.exe	34
PID 1928 wrote to memory of 1352	1928	backup.exe	34
PID 1352 wrote to memory of 552	1352	backup.exe	35
PID 1352 wrote to memory of 552	1352	backup.exe	35
PID 1352 wrote to memory of 552	1352	backup.exe	35
PID 1352 wrote to memory of 552	1352	backup.exe	35
PID 552 wrote to memory of 1484	552	data.exe	36
PID 552 wrote to memory of 1484	552	data.exe	36
PID 552 wrote to memory of 1484	552	data.exe	36
PID 552 wrote to memory of 1484	552	data.exe	36
PID 1352 wrote to memory of 1688	1352	backup.exe	37
PID 1352 wrote to memory of 1688	1352	backup.exe	37
PID 1352 wrote to memory of 1688	1352	backup.exe	37
PID 1352 wrote to memory of 1688	1352	backup.exe	37
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1688 wrote to memory of 1064	1688	backup.exe	38
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1064 wrote to memory of 1360	1064	update.exe	39
PID 1688 wrote to memory of 1868	1688	backup.exe	40
PID 1688 wrote to memory of 1868	1688	backup.exe	40
PID 1688 wrote to memory of 1868	1688	backup.exe	40
PID 1688 wrote to memory of 1868	1688	backup.exe	40
PID 1868 wrote to memory of 1152	1868	backup.exe	41
PID 1868 wrote to memory of 1152	1868	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe
"C:\Users\Admin\AppData\Local\Temp\3dbc619b4f47b4855f794bbe229da3e9fd60e6ae603928b282fa085f88ebc3ff.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:704
- C:\Users\Admin\AppData\Local\Temp\2464442251\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2464442251\backup.exe C:\Users\Admin\AppData\Local\Temp\2464442251\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1928
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\PerfLogs\data.exe
      C:\PerfLogs\data.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:552
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1064
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1360
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1868
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:572
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:1128
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1008
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1568
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1252
        
        C:\Program Files\Common Files\System\ado\update.exe
        
        "C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1452
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files\Common Files\System\ado\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:1476
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1484
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1316
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1496
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1528
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1476
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1020
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1392
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:692
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1744
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1804
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:848
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1464
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1816
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2020
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1560
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1372
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1300
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1536
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:472
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1168
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1340
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1164
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1116
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1864
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:592
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2016
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:872
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        
        PID:1008
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:956
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:632
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
C:\Users\Admin\AppData\Local\Temp\2464442251\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2464442251\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a4438d8204cfc870703760802b094954

SHA1
61a4a690cf83e8f1824822135a5ff2253e2b8d08

SHA256
de8f406851ad361f42d6121404d7822ed399fa73aff81dcffc04f5fb2481f1b3

SHA512
4e86d4c5c5754c701500f677267c50c44e2e5622726cdc62c5921a7e99e07566c20d623f00683e8ecd48dd36c40b31718ad64f454fdcd255b341efffc91397e0

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a4438d8204cfc870703760802b094954

SHA1
61a4a690cf83e8f1824822135a5ff2253e2b8d08

SHA256
de8f406851ad361f42d6121404d7822ed399fa73aff81dcffc04f5fb2481f1b3

SHA512
4e86d4c5c5754c701500f677267c50c44e2e5622726cdc62c5921a7e99e07566c20d623f00683e8ecd48dd36c40b31718ad64f454fdcd255b341efffc91397e0

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ddd07cb1033ad9adb08ec9bb2f7ac611

SHA1
2350d5ac5a6e8504dfaf09d9fdda506c8e53d6a6

SHA256
df20096b36f90689ae15c572b8fd23d46aecc32d1545d78dae9a84f4de2d25ec

SHA512
e74d73dafeafb9df20fcce5fef12e726461529df04e058ab2807696de0d33f054696e3496e4309bd2c03d64d42bf02c91bfc6addbaf59ddf5784c68ab695df9d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
3d49b4ab612bf52841c34736a6e9518a

SHA1
e9215147fe2a124ec99b1a2824b13a1cacd83748

SHA256
8cf2e541fc2339c72facb719f570c957e3fe0d8a412bf3ba1e8ed5ff54b94cfd

SHA512
6ce2c3a5b22abf811fa86f3f93e4325ded94bc52ea82f3cae45608fbdf0cb95ec85352af08288af2cc887deae196b0567f5ec4f6d42effcf334befa86df1e27a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7907cb24fede7954d921b550ad8d8b77

SHA1
8d79b070c8d508664bff0ac1e7abee060852e716

SHA256
6ecfbf710f2c292d4ab8e3dc253b374a167b17a33ec0f129bc04d4658d85a490

SHA512
1648e6c7510829876f310b59bc155aee0115048319d34b44b82be338bbe90efb18279c870f35fe1a83f27621deae36d3ae6c31063697d8cb69d2680a80ea5067

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d3522fd6e3afe7bd7d91b4feda754320

SHA1
dcdbab8ea67f42539673e0b653b910ebbefab792

SHA256
04da7b931507284619a38021c2db64a28e504c61226bd7490410f8e8af63dcfd

SHA512
3b96c1df5518c3252042c9b3532f4d18a12a777a3d329b31a57ff2fff27d713be98fab79bd444891f36b6b38756943353fa823c50ee0022608fa43aa6efb25c8

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f661c73edf41fd9ba5c2349f4916445e

SHA1
b1a3026592e2c37afad7aa6f2a604145a752b11a

SHA256
4b3986856dc5d725cf3344363b0c03a6b0c0b1893248cde70dc652733b6d04dc

SHA512
ae8c986611bed16b11e9b1f14042c5e02117b5d8859e0b623b370fc09b3ca5db7caabfa5d0c8db368c980da331d499d650b43d013902340a9b828c55b90de267

Download Submit
\Users\Admin\AppData\Local\Temp\2464442251\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\2464442251\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cbd3363f2e48c6bb1db388c1ca76ce23

SHA1
d3679336b8c7edac455a26736c00f013f0fabddc

SHA256
132c22862eb739ce2a05ec315e1b6c7d14454080ea86ecc33e35e0bfdeb7fb8e

SHA512
2a410aef8f9f77d6d24d6e8852b59d7afdf1f12c5e8f6ecd4a4aa8de329ad8ffaea6d09a9fd6d39ed8af7ad277c027bf041797a0cb417bd5bf6f6c42de3ccde9

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ad3e886eb129c7421502c681441b9c59

SHA1
09e82d681de610bad2e8716bc7aef081ad002d51

SHA256
6a313a25abaca3262ca8c1bfee2cafe52df69235ffc5242b39aced9b96210390

SHA512
7ad21c0ebe17e01a3c529ebaa9b5e5fef41e694dc70a4beea4b25e7a58817d7b7a40d773f7c9ab37b3a570c0afe1bfa6365c73b9b2366a030da42d8fcc7f3dc2

Download Submit
memory/704-109-0x0000000073F11000-0x0000000073F13000-memory.dmp

Filesize
8KB

Download
memory/704-98-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads