5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941

Analysis

max time kernel
179s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 01:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
Size

72KB
MD5

12d5b5b146fda1065decf3b92ec197c3
SHA1

c27fd4c19dc2f85e8dcf2babdc231e9a1da80eab
SHA256

5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941
SHA512

cdf719970e984a735c16edf37f63af103968d5a94be565c476c982376a0c74d7d03638e5355b84a62899e811f78af433d7d543f62e5e7a396a2893221fc956fd
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3kpc:teThavEjDWguKUS

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
972	backup.exe
1556	backup.exe
1200	backup.exe
1228	backup.exe
1320	backup.exe
636	backup.exe
592	backup.exe
1748	backup.exe
1784	backup.exe
848	backup.exe
540	backup.exe
1788	backup.exe
1908	backup.exe
1972	System Restore.exe
1304	backup.exe
1144	backup.exe
1004	backup.exe
1020	backup.exe
628	backup.exe
844	backup.exe
1560	backup.exe
1424	backup.exe
1512	backup.exe
1168	backup.exe
432	backup.exe
580	backup.exe
592	backup.exe
1628	backup.exe
1632	backup.exe
1568	backup.exe
1944	data.exe
1900	backup.exe
1904	backup.exe
676	backup.exe
1540	backup.exe
1912	backup.exe
1988	System Restore.exe
1192	backup.exe
1388	backup.exe
1920	backup.exe
984	backup.exe
1792	backup.exe
1680	backup.exe
1736	backup.exe
1652	backup.exe
956	backup.exe
1476	update.exe
1552	backup.exe
1040	backup.exe
1364	backup.exe
1800	backup.exe
1732	backup.exe
628	backup.exe
1188	backup.exe
1072	backup.exe
1244	backup.exe
1220	backup.exe
2028	backup.exe
1632	backup.exe
392	backup.exe
880	backup.exe
1328	backup.exe
584	backup.exe
1944	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
1748	backup.exe
1748	backup.exe
1784	backup.exe
1784	backup.exe
1748	backup.exe
1748	backup.exe
540	backup.exe
540	backup.exe
1788	backup.exe
1788	backup.exe
540	backup.exe
540	backup.exe
1972	System Restore.exe
1972	System Restore.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1004	backup.exe
1004	backup.exe
1004	backup.exe
1004	backup.exe
1304	backup.exe
1748	backup.exe
1304	backup.exe
1748	backup.exe
1004	backup.exe
1004	backup.exe
1972	System Restore.exe
1972	System Restore.exe
540	backup.exe
540	backup.exe
1972	System Restore.exe
1168	backup.exe
1972	System Restore.exe
1168	backup.exe
844	backup.exe
844	backup.exe
1004	backup.exe
1560	backup.exe
1560	backup.exe
1004	backup.exe
592	backup.exe
592	backup.exe
1168	backup.exe
1168	backup.exe
1560	backup.exe
1560	backup.exe
1004	backup.exe
1004	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
972	backup.exe
1556	backup.exe
1200	backup.exe
1228	backup.exe
1320	backup.exe
636	backup.exe
592	backup.exe
1748	backup.exe
1784	backup.exe
848	backup.exe
540	backup.exe
1788	backup.exe
1908	backup.exe
1972	System Restore.exe
1304	backup.exe
1144	backup.exe
1004	backup.exe
1020	backup.exe
628	backup.exe
844	backup.exe
1560	backup.exe
1512	backup.exe
1424	backup.exe
1168	backup.exe
432	backup.exe
580	backup.exe
592	backup.exe
1628	backup.exe
1632	backup.exe
1568	backup.exe
1944	data.exe
1900	backup.exe
1904	backup.exe
676	backup.exe
1540	backup.exe
1912	backup.exe
1988	System Restore.exe
1192	backup.exe
1388	backup.exe
1920	backup.exe
984	backup.exe
1680	backup.exe
1792	backup.exe
956	backup.exe
1736	backup.exe
1652	backup.exe
1552	backup.exe
1040	backup.exe
1364	backup.exe
1732	backup.exe
1800	backup.exe
628	backup.exe
1188	backup.exe
1244	backup.exe
1072	backup.exe
1220	backup.exe
2028	backup.exe
1632	backup.exe
392	backup.exe
880	backup.exe
584	backup.exe
1328	backup.exe
1944	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 972	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	27
PID 1776 wrote to memory of 972	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	27
PID 1776 wrote to memory of 972	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	27
PID 1776 wrote to memory of 972	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	27
PID 1776 wrote to memory of 1556	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	28
PID 1776 wrote to memory of 1556	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	28
PID 1776 wrote to memory of 1556	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	28
PID 1776 wrote to memory of 1556	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	28
PID 1776 wrote to memory of 1200	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	29
PID 1776 wrote to memory of 1200	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	29
PID 1776 wrote to memory of 1200	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	29
PID 1776 wrote to memory of 1200	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	29
PID 1776 wrote to memory of 1228	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	30
PID 1776 wrote to memory of 1228	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	30
PID 1776 wrote to memory of 1228	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	30
PID 1776 wrote to memory of 1228	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	30
PID 1776 wrote to memory of 1320	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	31
PID 1776 wrote to memory of 1320	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	31
PID 1776 wrote to memory of 1320	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	31
PID 1776 wrote to memory of 1320	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	31
PID 1776 wrote to memory of 636	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	32
PID 1776 wrote to memory of 636	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	32
PID 1776 wrote to memory of 636	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	32
PID 1776 wrote to memory of 636	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	32
PID 1776 wrote to memory of 592	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	33
PID 1776 wrote to memory of 592	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	33
PID 1776 wrote to memory of 592	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	33
PID 1776 wrote to memory of 592	1776	5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe	33
PID 972 wrote to memory of 1748	972	backup.exe	34
PID 972 wrote to memory of 1748	972	backup.exe	34
PID 972 wrote to memory of 1748	972	backup.exe	34
PID 972 wrote to memory of 1748	972	backup.exe	34
PID 1748 wrote to memory of 1784	1748	backup.exe	35
PID 1748 wrote to memory of 1784	1748	backup.exe	35
PID 1748 wrote to memory of 1784	1748	backup.exe	35
PID 1748 wrote to memory of 1784	1748	backup.exe	35
PID 1784 wrote to memory of 848	1784	backup.exe	36
PID 1784 wrote to memory of 848	1784	backup.exe	36
PID 1784 wrote to memory of 848	1784	backup.exe	36
PID 1784 wrote to memory of 848	1784	backup.exe	36
PID 1748 wrote to memory of 540	1748	backup.exe	37
PID 1748 wrote to memory of 540	1748	backup.exe	37
PID 1748 wrote to memory of 540	1748	backup.exe	37
PID 1748 wrote to memory of 540	1748	backup.exe	37
PID 540 wrote to memory of 1788	540	backup.exe	38
PID 540 wrote to memory of 1788	540	backup.exe	38
PID 540 wrote to memory of 1788	540	backup.exe	38
PID 540 wrote to memory of 1788	540	backup.exe	38
PID 1788 wrote to memory of 1908	1788	backup.exe	39
PID 1788 wrote to memory of 1908	1788	backup.exe	39
PID 1788 wrote to memory of 1908	1788	backup.exe	39
PID 1788 wrote to memory of 1908	1788	backup.exe	39
PID 540 wrote to memory of 1972	540	backup.exe	40
PID 540 wrote to memory of 1972	540	backup.exe	40
PID 540 wrote to memory of 1972	540	backup.exe	40
PID 540 wrote to memory of 1972	540	backup.exe	40
PID 1972 wrote to memory of 1304	1972	System Restore.exe	41
PID 1972 wrote to memory of 1304	1972	System Restore.exe	41
PID 1972 wrote to memory of 1304	1972	System Restore.exe	41
PID 1972 wrote to memory of 1304	1972	System Restore.exe	41
PID 1304 wrote to memory of 1144	1304	backup.exe	42
PID 1304 wrote to memory of 1144	1304	backup.exe	42
PID 1304 wrote to memory of 1144	1304	backup.exe	42
PID 1304 wrote to memory of 1144	1304	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe
"C:\Users\Admin\AppData\Local\Temp\5d7029224b2fcf1729cbd742abc51deafe91dcac0d9927087ce71ac070493941.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\2963611575\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2963611575\backup.exe C:\Users\Admin\AppData\Local\Temp\2963611575\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:972
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1748
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:540
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1788
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1972
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:1424
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\VC\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1188
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:676
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1188
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\data.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1432
        
        C:\Program Files\Common Files\System\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\en-US\System Restore.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1528
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1320
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:268
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:432
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1928
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1724
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:580
      - C:\Program Files\DVD Maker\en-US\data.exe
        
        "C:\Program Files\DVD Maker\en-US\data.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:628
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1416
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        System policy modification
        
        PID:960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:580
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1908
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:268
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1556
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1840
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2036
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:564
    - - C:\Program Files\Microsoft Games\update.exe
        
        "C:\Program Files\Microsoft Games\update.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1564
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:844
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:592
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1484
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:956
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:392
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1176
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1012
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:772
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1572
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1400
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:636
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b6be3d3153bd243286b52dcf4a7718e

SHA1
c2fca6b915411ce1a759662710050eaf80a79132

SHA256
ba3f9843703ab90e5ae3d3696bb30857847e4f925f703aa3ed7b8800eb1d4a3d

SHA512
27a6a6353df480f3234bccd47626cee96027e47e6ecad09bab16f2041735c4409a134a86634edf985a5bb123d1cc53451bb2d91024dfc98039842519510c8e86

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
726ad2efada5e701d0e52badb7d8b64d

SHA1
07123caf2baf7611d24ec74d47fe7f58a9d02178

SHA256
93bf9cab597925b93023f0f830119458990505ebcf7058051613157f8af24716

SHA512
06d18d12192369ecbf5a606a3013a6ff1d61947524131a27d592269f1117535f0f4a039201d3c30860bbe66ea257a48c19f3bdd88ac0d5d68d519cbeb2c113d6

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
726ad2efada5e701d0e52badb7d8b64d

SHA1
07123caf2baf7611d24ec74d47fe7f58a9d02178

SHA256
93bf9cab597925b93023f0f830119458990505ebcf7058051613157f8af24716

SHA512
06d18d12192369ecbf5a606a3013a6ff1d61947524131a27d592269f1117535f0f4a039201d3c30860bbe66ea257a48c19f3bdd88ac0d5d68d519cbeb2c113d6

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1d7498e4a9dcaa97bc81b17725e1c67b

SHA1
e9c26d0dbcd82cd3de6311af8c9c8f64fef274ab

SHA256
07ed6da7ddd37d982fec117f3980ab215bd46ba218daec50813efd0fa4fba1ee

SHA512
765db03082e293cc25c60372a90b4043582f51ddb916a1d9ccc76ab5f97f87bb15c022500dac5dc4f8c61aa8ccbb4272f3d32b6edf2da45acbaf1f5a67994ac0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
711804f53bf105550d8cfabc320dd1e7

SHA1
268e40c2eef52159ffe751320e8cf91ffc666c80

SHA256
93c45376b1862938310c62df3b27847e0bfa40b8f23afab957bd76b510143ae7

SHA512
8d6e67a44c39193c33b074b5f52b5cb575150dda466cad40de10dd621019c303f8f3549595e4896666d68111f42694c39626c136ec338cb9a961ca25b0e3fca2

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
711804f53bf105550d8cfabc320dd1e7

SHA1
268e40c2eef52159ffe751320e8cf91ffc666c80

SHA256
93c45376b1862938310c62df3b27847e0bfa40b8f23afab957bd76b510143ae7

SHA512
8d6e67a44c39193c33b074b5f52b5cb575150dda466cad40de10dd621019c303f8f3549595e4896666d68111f42694c39626c136ec338cb9a961ca25b0e3fca2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a7af6b0dd7590a0483e409b2c19bb7c4

SHA1
62753493e8b70e1bdbd9172f9ab435b348ba2f27

SHA256
9fc3c624b3a62fc9e488a0fffc74574e6816ce0edfbaf1a5b809bacc3626bea1

SHA512
267a7b0139a76c7fc291faa9d14c502e9bdbb8e37a44531d7a1d643b817bc94005b045da7f367a6d07eff13e07def22e758adc8895c513d68f9aa2711e8322af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a7af6b0dd7590a0483e409b2c19bb7c4

SHA1
62753493e8b70e1bdbd9172f9ab435b348ba2f27

SHA256
9fc3c624b3a62fc9e488a0fffc74574e6816ce0edfbaf1a5b809bacc3626bea1

SHA512
267a7b0139a76c7fc291faa9d14c502e9bdbb8e37a44531d7a1d643b817bc94005b045da7f367a6d07eff13e07def22e758adc8895c513d68f9aa2711e8322af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
1f842ddea4d462c09229beed84b24d3f

SHA1
80413b515683614f467072560e5b4d7792a31eb0

SHA256
2b697114a718ca34964085bfbe9f5b90e39e197c544573f2d47f1d04ba601687

SHA512
aef5fca66ea17a7d56d766fd5d4199561c1ff75caf4ce06d6c57736e8c357bcbd5b1d4da49f00526af2fe614c805b843634ce4ac44b8357ae3d895f9dad21e79

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
1f842ddea4d462c09229beed84b24d3f

SHA1
80413b515683614f467072560e5b4d7792a31eb0

SHA256
2b697114a718ca34964085bfbe9f5b90e39e197c544573f2d47f1d04ba601687

SHA512
aef5fca66ea17a7d56d766fd5d4199561c1ff75caf4ce06d6c57736e8c357bcbd5b1d4da49f00526af2fe614c805b843634ce4ac44b8357ae3d895f9dad21e79

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ed348daadc375dd2755ffcd60738705f

SHA1
eddc182fa5e9a5f8d3e5a7ae2acbee34419331c5

SHA256
61f4ac7308f9c0adc6209a55a9378574add8e4deece84f3db7b80357600ad9c1

SHA512
c40bca70f7cb6fd0661c727a113124232b075c474874f3ef7433f4045b17086070e68ab1d94eb8c0a1f585862350ff1c42ef2964c7a49d49c7b5e0a6eae71650

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ed348daadc375dd2755ffcd60738705f

SHA1
eddc182fa5e9a5f8d3e5a7ae2acbee34419331c5

SHA256
61f4ac7308f9c0adc6209a55a9378574add8e4deece84f3db7b80357600ad9c1

SHA512
c40bca70f7cb6fd0661c727a113124232b075c474874f3ef7433f4045b17086070e68ab1d94eb8c0a1f585862350ff1c42ef2964c7a49d49c7b5e0a6eae71650

Download Submit
C:\Users\Admin\AppData\Local\Temp\2963611575\backup.exe

Filesize
72KB

MD5
2501494a1daa5a4ccd91a06e56c866ea

SHA1
38e2f4de69464a3daef659fd44a7fc0a669a9e47

SHA256
feb3d8d210496aca4042cc618a7d1ca9b3483e49a4cafc75ec268701fcdeb5fa

SHA512
b9fe2c07479413d294274e3f377bc66716db766a7b9d9547c1af7d9928d02c4d90891f880e82e0dfb5850da720d99404bf30ec542166ab80836a53ea014e62cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2963611575\backup.exe

Filesize
72KB

MD5
2501494a1daa5a4ccd91a06e56c866ea

SHA1
38e2f4de69464a3daef659fd44a7fc0a669a9e47

SHA256
feb3d8d210496aca4042cc618a7d1ca9b3483e49a4cafc75ec268701fcdeb5fa

SHA512
b9fe2c07479413d294274e3f377bc66716db766a7b9d9547c1af7d9928d02c4d90891f880e82e0dfb5850da720d99404bf30ec542166ab80836a53ea014e62cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
C:\backup.exe

Filesize
72KB

MD5
76124044f0556836ec886662a6e8a01b

SHA1
e177a0ffaee4e735f2b8eeb81f2329fe422983c7

SHA256
353829542267fabd7b82c77a75393800db38d2a9e74c02da621a9ef6c8464fdb

SHA512
68ffeda39a3fe94d451ce7f449e1560c1dbf32989c030674f53e4336b28457a22a393702df4dd3ec7999a5f6cdfc66ea9b52404158f90daa78245917557c54c3

Download Submit
C:\backup.exe

Filesize
72KB

MD5
76124044f0556836ec886662a6e8a01b

SHA1
e177a0ffaee4e735f2b8eeb81f2329fe422983c7

SHA256
353829542267fabd7b82c77a75393800db38d2a9e74c02da621a9ef6c8464fdb

SHA512
68ffeda39a3fe94d451ce7f449e1560c1dbf32989c030674f53e4336b28457a22a393702df4dd3ec7999a5f6cdfc66ea9b52404158f90daa78245917557c54c3

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b6be3d3153bd243286b52dcf4a7718e

SHA1
c2fca6b915411ce1a759662710050eaf80a79132

SHA256
ba3f9843703ab90e5ae3d3696bb30857847e4f925f703aa3ed7b8800eb1d4a3d

SHA512
27a6a6353df480f3234bccd47626cee96027e47e6ecad09bab16f2041735c4409a134a86634edf985a5bb123d1cc53451bb2d91024dfc98039842519510c8e86

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b6be3d3153bd243286b52dcf4a7718e

SHA1
c2fca6b915411ce1a759662710050eaf80a79132

SHA256
ba3f9843703ab90e5ae3d3696bb30857847e4f925f703aa3ed7b8800eb1d4a3d

SHA512
27a6a6353df480f3234bccd47626cee96027e47e6ecad09bab16f2041735c4409a134a86634edf985a5bb123d1cc53451bb2d91024dfc98039842519510c8e86

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
726ad2efada5e701d0e52badb7d8b64d

SHA1
07123caf2baf7611d24ec74d47fe7f58a9d02178

SHA256
93bf9cab597925b93023f0f830119458990505ebcf7058051613157f8af24716

SHA512
06d18d12192369ecbf5a606a3013a6ff1d61947524131a27d592269f1117535f0f4a039201d3c30860bbe66ea257a48c19f3bdd88ac0d5d68d519cbeb2c113d6

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
726ad2efada5e701d0e52badb7d8b64d

SHA1
07123caf2baf7611d24ec74d47fe7f58a9d02178

SHA256
93bf9cab597925b93023f0f830119458990505ebcf7058051613157f8af24716

SHA512
06d18d12192369ecbf5a606a3013a6ff1d61947524131a27d592269f1117535f0f4a039201d3c30860bbe66ea257a48c19f3bdd88ac0d5d68d519cbeb2c113d6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1d7498e4a9dcaa97bc81b17725e1c67b

SHA1
e9c26d0dbcd82cd3de6311af8c9c8f64fef274ab

SHA256
07ed6da7ddd37d982fec117f3980ab215bd46ba218daec50813efd0fa4fba1ee

SHA512
765db03082e293cc25c60372a90b4043582f51ddb916a1d9ccc76ab5f97f87bb15c022500dac5dc4f8c61aa8ccbb4272f3d32b6edf2da45acbaf1f5a67994ac0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1d7498e4a9dcaa97bc81b17725e1c67b

SHA1
e9c26d0dbcd82cd3de6311af8c9c8f64fef274ab

SHA256
07ed6da7ddd37d982fec117f3980ab215bd46ba218daec50813efd0fa4fba1ee

SHA512
765db03082e293cc25c60372a90b4043582f51ddb916a1d9ccc76ab5f97f87bb15c022500dac5dc4f8c61aa8ccbb4272f3d32b6edf2da45acbaf1f5a67994ac0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
711804f53bf105550d8cfabc320dd1e7

SHA1
268e40c2eef52159ffe751320e8cf91ffc666c80

SHA256
93c45376b1862938310c62df3b27847e0bfa40b8f23afab957bd76b510143ae7

SHA512
8d6e67a44c39193c33b074b5f52b5cb575150dda466cad40de10dd621019c303f8f3549595e4896666d68111f42694c39626c136ec338cb9a961ca25b0e3fca2

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
711804f53bf105550d8cfabc320dd1e7

SHA1
268e40c2eef52159ffe751320e8cf91ffc666c80

SHA256
93c45376b1862938310c62df3b27847e0bfa40b8f23afab957bd76b510143ae7

SHA512
8d6e67a44c39193c33b074b5f52b5cb575150dda466cad40de10dd621019c303f8f3549595e4896666d68111f42694c39626c136ec338cb9a961ca25b0e3fca2

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe

Filesize
72KB

MD5
2c05ae5a7c8e7000fe6d3b78b7a6fd36

SHA1
8a8d75e399600135f9789735800b93f6311b5323

SHA256
fe35d6d11b474c596724f5e5273f4ddcdf7e8a385a512d22020fe33982b646d5

SHA512
324d5b29092628763fd4eff39b75f2c6a715dcac44184a6bf142ea2ba87d3f7d80b79bcc7784dcf8fbc20543beb4d89e4a8f9c45a81ec4ae0fad4a2bb6c7a91a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a7af6b0dd7590a0483e409b2c19bb7c4

SHA1
62753493e8b70e1bdbd9172f9ab435b348ba2f27

SHA256
9fc3c624b3a62fc9e488a0fffc74574e6816ce0edfbaf1a5b809bacc3626bea1

SHA512
267a7b0139a76c7fc291faa9d14c502e9bdbb8e37a44531d7a1d643b817bc94005b045da7f367a6d07eff13e07def22e758adc8895c513d68f9aa2711e8322af

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
a7af6b0dd7590a0483e409b2c19bb7c4

SHA1
62753493e8b70e1bdbd9172f9ab435b348ba2f27

SHA256
9fc3c624b3a62fc9e488a0fffc74574e6816ce0edfbaf1a5b809bacc3626bea1

SHA512
267a7b0139a76c7fc291faa9d14c502e9bdbb8e37a44531d7a1d643b817bc94005b045da7f367a6d07eff13e07def22e758adc8895c513d68f9aa2711e8322af

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
9995d9b2a36cf60f13888e12bc2aa140

SHA1
696b6dc6729573c6ba8ed8924185014bb5607f90

SHA256
61b35d38245aa18e42cb58411af58ae9075dbb996180bcae42a099a675dcbc2d

SHA512
a7b3c1eee27d41caf3e61f5847c71735a748ff28c424d1ebaed09e3e3928b1d7269aa1cdb4291627517afc220a7bbaf1592e0c8012cc13245bd9c7a0e429aaaa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
597f8ffa3df2c8c24664e591ae181d77

SHA1
9cc0681806d53653657a99a3446fc850786dc7d8

SHA256
8292180c86ada55d99f57f478b2e756f248af3ee64df6e7b8d467bd06864ef00

SHA512
ebe96b1ed4ba9d296330de7c371b922125a3c5a8622ade0b2de1c00df70845a4df8e1a6ab113168281e342e989a377d3f44bc0ba5ff429a4a166978e9d0cc247

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
1f842ddea4d462c09229beed84b24d3f

SHA1
80413b515683614f467072560e5b4d7792a31eb0

SHA256
2b697114a718ca34964085bfbe9f5b90e39e197c544573f2d47f1d04ba601687

SHA512
aef5fca66ea17a7d56d766fd5d4199561c1ff75caf4ce06d6c57736e8c357bcbd5b1d4da49f00526af2fe614c805b843634ce4ac44b8357ae3d895f9dad21e79

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
1f842ddea4d462c09229beed84b24d3f

SHA1
80413b515683614f467072560e5b4d7792a31eb0

SHA256
2b697114a718ca34964085bfbe9f5b90e39e197c544573f2d47f1d04ba601687

SHA512
aef5fca66ea17a7d56d766fd5d4199561c1ff75caf4ce06d6c57736e8c357bcbd5b1d4da49f00526af2fe614c805b843634ce4ac44b8357ae3d895f9dad21e79

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ed348daadc375dd2755ffcd60738705f

SHA1
eddc182fa5e9a5f8d3e5a7ae2acbee34419331c5

SHA256
61f4ac7308f9c0adc6209a55a9378574add8e4deece84f3db7b80357600ad9c1

SHA512
c40bca70f7cb6fd0661c727a113124232b075c474874f3ef7433f4045b17086070e68ab1d94eb8c0a1f585862350ff1c42ef2964c7a49d49c7b5e0a6eae71650

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ed348daadc375dd2755ffcd60738705f

SHA1
eddc182fa5e9a5f8d3e5a7ae2acbee34419331c5

SHA256
61f4ac7308f9c0adc6209a55a9378574add8e4deece84f3db7b80357600ad9c1

SHA512
c40bca70f7cb6fd0661c727a113124232b075c474874f3ef7433f4045b17086070e68ab1d94eb8c0a1f585862350ff1c42ef2964c7a49d49c7b5e0a6eae71650

Download Submit
\Users\Admin\AppData\Local\Temp\2963611575\backup.exe

Filesize
72KB

MD5
2501494a1daa5a4ccd91a06e56c866ea

SHA1
38e2f4de69464a3daef659fd44a7fc0a669a9e47

SHA256
feb3d8d210496aca4042cc618a7d1ca9b3483e49a4cafc75ec268701fcdeb5fa

SHA512
b9fe2c07479413d294274e3f377bc66716db766a7b9d9547c1af7d9928d02c4d90891f880e82e0dfb5850da720d99404bf30ec542166ab80836a53ea014e62cb

Download Submit
\Users\Admin\AppData\Local\Temp\2963611575\backup.exe

Filesize
72KB

MD5
2501494a1daa5a4ccd91a06e56c866ea

SHA1
38e2f4de69464a3daef659fd44a7fc0a669a9e47

SHA256
feb3d8d210496aca4042cc618a7d1ca9b3483e49a4cafc75ec268701fcdeb5fa

SHA512
b9fe2c07479413d294274e3f377bc66716db766a7b9d9547c1af7d9928d02c4d90891f880e82e0dfb5850da720d99404bf30ec542166ab80836a53ea014e62cb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
40b4c26e589b2bbe5bc7e6f7628721b2

SHA1
45d6be9ee0a1d2e161ef816cdcba52b908a35ace

SHA256
ebf3bbb46542f3c34a1e3a9f65f97f2587f648e22ffa069348d9aa9192f920ef

SHA512
8d10ed070e5e75c47657dc8b9274d17737521013536ddf7cfe52430f805e493c53d60f713916d208723dc09530cee7eaf75ab354c94aab220444ee9ce1a6eaee

Download Submit
memory/1776-118-0x0000000073F11000-0x0000000073F13000-memory.dmp

Filesize
8KB

Download
memory/1776-98-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads