a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89

Analysis

max time kernel
56s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
Size

72KB
MD5

0743491144f99f35336ccc837492b591
SHA1

b5acea179c3c1eaa3073f857a1098aa803b781b6
SHA256

a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89
SHA512

2994d9d1661fc4131b9ab77fe5f1aa4725d6d439f63e929e7c7d0a40e4dbe610cf2340d8d6d20abe2b0eb5487c39dbccf924e13478b709067dc94e2c51aaa7f9
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k70m:teThavEjDWguKU5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1016	backup.exe
1080	backup.exe
1680	data.exe
1904	backup.exe
952	backup.exe
1268	backup.exe
756	backup.exe
1912	backup.exe
1616	backup.exe
1040	backup.exe
360	backup.exe
1140	update.exe
676	backup.exe
1620	backup.exe
1876	backup.exe
1380	backup.exe
2040	backup.exe
1652	System Restore.exe
1780	backup.exe
1596	backup.exe
1244	backup.exe
772	backup.exe
1776	backup.exe
932	backup.exe
1672	backup.exe
1880	backup.exe
1152	backup.exe
1332	backup.exe
1524	backup.exe
1268	data.exe
1220	backup.exe
1616	backup.exe
936	backup.exe
1036	backup.exe
980	System Restore.exe
1560	backup.exe
1692	backup.exe
1696	data.exe
1632	data.exe
1140	backup.exe
1824	backup.exe
1884	backup.exe
1180	backup.exe
1260	backup.exe
540	update.exe
1900	backup.exe
1080	backup.exe
1752	backup.exe
768	backup.exe
1572	backup.exe
1860	backup.exe
1676	backup.exe
772	backup.exe
952	backup.exe
516	backup.exe
1328	backup.exe
960	backup.exe
756	backup.exe
1488	backup.exe
1536	backup.exe
1616	backup.exe
364	backup.exe
1660	backup.exe
1756	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1904	backup.exe
1904	backup.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1268	backup.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1268	backup.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1904	backup.exe
1904	backup.exe
360	backup.exe
1140	update.exe
1140	update.exe
1140	update.exe
1140	update.exe
1140	update.exe
676	backup.exe
676	backup.exe
676	backup.exe
360	backup.exe
360	backup.exe
1620	backup.exe
1620	backup.exe
1876	backup.exe
1876	backup.exe
1876	backup.exe
1876	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
2040	backup.exe
1524	backup.exe
1524	backup.exe
1524	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
1016	backup.exe
1080	backup.exe
1680	data.exe
1904	backup.exe
952	backup.exe
1268	backup.exe
756	backup.exe
1912	backup.exe
1616	backup.exe
1040	backup.exe
360	backup.exe
1140	update.exe
676	backup.exe
1620	backup.exe
1876	backup.exe
1380	backup.exe
2040	backup.exe
1652	System Restore.exe
1780	backup.exe
1596	backup.exe
1244	backup.exe
772	backup.exe
1776	backup.exe
932	backup.exe
1672	backup.exe
1880	backup.exe
1152	backup.exe
1332	backup.exe
1524	backup.exe
1268	data.exe
1220	backup.exe
1616	backup.exe
936	backup.exe
1036	backup.exe
980	System Restore.exe
1560	backup.exe
1692	backup.exe
1696	data.exe
1632	data.exe
1140	backup.exe
1824	backup.exe
1884	backup.exe
1180	backup.exe
1260	backup.exe
1588	backup.exe
1900	backup.exe
1080	backup.exe
1752	backup.exe
768	backup.exe
1860	backup.exe
1676	backup.exe
1572	backup.exe
772	backup.exe
952	backup.exe
516	backup.exe
1328	backup.exe
960	backup.exe
1488	backup.exe
756	backup.exe
1536	backup.exe
1616	backup.exe
1660	backup.exe
364	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1016	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	26
PID 1404 wrote to memory of 1016	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	26
PID 1404 wrote to memory of 1016	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	26
PID 1404 wrote to memory of 1016	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	26
PID 1404 wrote to memory of 1080	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	27
PID 1404 wrote to memory of 1080	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	27
PID 1404 wrote to memory of 1080	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	27
PID 1404 wrote to memory of 1080	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	27
PID 1404 wrote to memory of 1680	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	28
PID 1404 wrote to memory of 1680	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	28
PID 1404 wrote to memory of 1680	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	28
PID 1404 wrote to memory of 1680	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	28
PID 1404 wrote to memory of 952	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	29
PID 1404 wrote to memory of 952	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	29
PID 1404 wrote to memory of 952	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	29
PID 1404 wrote to memory of 952	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	29
PID 1016 wrote to memory of 1904	1016	backup.exe	30
PID 1016 wrote to memory of 1904	1016	backup.exe	30
PID 1016 wrote to memory of 1904	1016	backup.exe	30
PID 1016 wrote to memory of 1904	1016	backup.exe	30
PID 1904 wrote to memory of 1268	1904	backup.exe	31
PID 1904 wrote to memory of 1268	1904	backup.exe	31
PID 1904 wrote to memory of 1268	1904	backup.exe	31
PID 1904 wrote to memory of 1268	1904	backup.exe	31
PID 1404 wrote to memory of 756	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	32
PID 1404 wrote to memory of 756	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	32
PID 1404 wrote to memory of 756	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	32
PID 1404 wrote to memory of 756	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	32
PID 1268 wrote to memory of 1912	1268	backup.exe	33
PID 1268 wrote to memory of 1912	1268	backup.exe	33
PID 1268 wrote to memory of 1912	1268	backup.exe	33
PID 1268 wrote to memory of 1912	1268	backup.exe	33
PID 1404 wrote to memory of 1616	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	34
PID 1404 wrote to memory of 1616	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	34
PID 1404 wrote to memory of 1616	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	34
PID 1404 wrote to memory of 1616	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	34
PID 1404 wrote to memory of 1040	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	35
PID 1404 wrote to memory of 1040	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	35
PID 1404 wrote to memory of 1040	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	35
PID 1404 wrote to memory of 1040	1404	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe	35
PID 1904 wrote to memory of 360	1904	backup.exe	36
PID 1904 wrote to memory of 360	1904	backup.exe	36
PID 1904 wrote to memory of 360	1904	backup.exe	36
PID 1904 wrote to memory of 360	1904	backup.exe	36
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 360 wrote to memory of 1140	360	backup.exe	37
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 1140 wrote to memory of 676	1140	update.exe	38
PID 360 wrote to memory of 1620	360	backup.exe	39
PID 360 wrote to memory of 1620	360	backup.exe	39
PID 360 wrote to memory of 1620	360	backup.exe	39
PID 360 wrote to memory of 1620	360	backup.exe	39
PID 1620 wrote to memory of 1876	1620	backup.exe	40
PID 1620 wrote to memory of 1876	1620	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe

C:\Users\Admin\AppData\Local\Temp\a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe
"C:\Users\Admin\AppData\Local\Temp\a148f2490674d6ec8de1362e8f769dcea4152fd1a0f04fab97fb5f14627a6f89.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404
- C:\Users\Admin\AppData\Local\Temp\2152984303\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2152984303\backup.exe C:\Users\Admin\AppData\Local\Temp\2152984303\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1016
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1268
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:360
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1140
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:676
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2120
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
      - C:\Program Files\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\update.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:540
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1588
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:856
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1088
        
        C:\Program Files\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1636
        
        C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1380
        
        C:\Program Files\Common Files\System\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\de-DE\update.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1648
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1748
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1912
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1632
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2012
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1600
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1748
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2112
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1180
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1860
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:280
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:884
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1064
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:552
      - C:\Program Files\DVD Maker\Shared\data.exe
        
        "C:\Program Files\DVD Maker\Shared\data.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2028
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:876
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:240
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1488
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1808
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1872
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1812
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1516
    - - C:\Program Files\Reference Assemblies\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\System Restore.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2164
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:936
    - - C:\Program Files (x86)\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1776
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1764
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        System policy modification
        
        PID:540
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1516
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1948
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:612
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:944
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2000
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1916
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\data.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\data.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:428
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:852
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1480
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2128
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      System policy modification
      PID:1756
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2032
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        
        PID:268
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1644
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1564
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1880
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1696
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1592
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2104
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Low\data.exe
  C:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:952
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:756
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
cb73abc79962e67415463d53e4aad3c5

SHA1
07b671e5e89cd7b0d4da2ad996999b573b8b4457

SHA256
971fe17ff2999a3c171dc36999447366360a5cfababa0104d31a7ed713bf2d68

SHA512
7f97bc301f5fc3a64e9cb17649e1d13fff978afde3108625c741227b0d3139a8ead9a76282c748f8eab674a8a5fd1cbe24d1abdb97780f2c598ba610bae7a430

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
c4739b3cb9ad1db8028bccd2ef2055b1

SHA1
787ef79aeac36054f9dd0ca9be0190ec23189837

SHA256
baf7e07817572b5b473cc38b4b747a8a5478a6a73fae48ca5bc4d009f15166cd

SHA512
abccad9e12f2cddacc7a62648318f410392a6bdc816b5a213a930f9b96dbf2ce3b8bf3d1b21e286df74d82941172e35ff365d9b480eeba70641a27f3c5ee68da

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
c4739b3cb9ad1db8028bccd2ef2055b1

SHA1
787ef79aeac36054f9dd0ca9be0190ec23189837

SHA256
baf7e07817572b5b473cc38b4b747a8a5478a6a73fae48ca5bc4d009f15166cd

SHA512
abccad9e12f2cddacc7a62648318f410392a6bdc816b5a213a930f9b96dbf2ce3b8bf3d1b21e286df74d82941172e35ff365d9b480eeba70641a27f3c5ee68da

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d1e57c083518b8ab604b4c84a77d59ec

SHA1
60c7eb2b5c47691dac7fe8f403eecc43515f9315

SHA256
95afb49323611e1deb6e02ea3eb572af63c382f162aa1b69c01286e97fb0d93a

SHA512
1d2c5500a770c729adb02201edf0efbd1c80061b7963fab64bd3969025774912b37de5643f17bacc197a9fc6b8d73c97a869efccf5e92d74ee421c2b444aaa7e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d1e57c083518b8ab604b4c84a77d59ec

SHA1
60c7eb2b5c47691dac7fe8f403eecc43515f9315

SHA256
95afb49323611e1deb6e02ea3eb572af63c382f162aa1b69c01286e97fb0d93a

SHA512
1d2c5500a770c729adb02201edf0efbd1c80061b7963fab64bd3969025774912b37de5643f17bacc197a9fc6b8d73c97a869efccf5e92d74ee421c2b444aaa7e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
df321c49b16a5973934e81c8cccf898c

SHA1
aca187a055934754851aeaf8e043b9309b1adec3

SHA256
ca27e87f106a3763ff243a41e8dfc480b9084663026c73b443bc77697f64432f

SHA512
cf0895d5161fed76842a126782378793fd7d1d4982bec952f87db3fce6d1550239b81c20b69d2df59a3dd954e0109666d69d0de65f8d803c7d522016021b7dcc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
df321c49b16a5973934e81c8cccf898c

SHA1
aca187a055934754851aeaf8e043b9309b1adec3

SHA256
ca27e87f106a3763ff243a41e8dfc480b9084663026c73b443bc77697f64432f

SHA512
cf0895d5161fed76842a126782378793fd7d1d4982bec952f87db3fce6d1550239b81c20b69d2df59a3dd954e0109666d69d0de65f8d803c7d522016021b7dcc

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d36b01968948f3c4a15a16fd82c56afa

SHA1
56bbb19592337f8f0bd97ecaf268cf3144608ac7

SHA256
1b1b552b873e4bf4439aaa13052406a96abf31d4557fde9774d9fdd21e517b41

SHA512
d551d69cfd6e03c6a1ad1e0fa120943b022b8b933e3654c2c4487e45dc474bef2131c8a6b25a752929389f5c00c9dc0ae965bd0dd3bfc06fdde9a8cd4f395154

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d36b01968948f3c4a15a16fd82c56afa

SHA1
56bbb19592337f8f0bd97ecaf268cf3144608ac7

SHA256
1b1b552b873e4bf4439aaa13052406a96abf31d4557fde9774d9fdd21e517b41

SHA512
d551d69cfd6e03c6a1ad1e0fa120943b022b8b933e3654c2c4487e45dc474bef2131c8a6b25a752929389f5c00c9dc0ae965bd0dd3bfc06fdde9a8cd4f395154

Download Submit
C:\Users\Admin\AppData\Local\Temp\2152984303\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2152984303\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
3e2d98da7d5d72c2f903fc7abb229cff

SHA1
0da186eb5d299ead692d0251d0a94c525aaa5c27

SHA256
1c73c63f0682cba2606f6492084d52f383b7085836beaf0af1f3011b8f4261f5

SHA512
7676185495e28f43246ee97c60743ff7c515d0e69df50f83685644f1d3fad099bde6f431f6e4c8dc5510aedc7f59ac5b3534c66af11f096325e4936fac4d969a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0e0f4f831794d77d7113e1c406261aae

SHA1
eefb16db49f896d39986d442607ddfaa8ea9920d

SHA256
eb4f1a08497e9a83129e1ac98b6279c6d8b5b6f28b94edf06df89b609ba2b2a2

SHA512
e0d694e78d9a270f996f5867668a716b9c83d0f07d88109b5528797f5502423676fd49eac317284c0e1571af28f8da276adad56dfe12009028e1689b8c0a82c2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0e0f4f831794d77d7113e1c406261aae

SHA1
eefb16db49f896d39986d442607ddfaa8ea9920d

SHA256
eb4f1a08497e9a83129e1ac98b6279c6d8b5b6f28b94edf06df89b609ba2b2a2

SHA512
e0d694e78d9a270f996f5867668a716b9c83d0f07d88109b5528797f5502423676fd49eac317284c0e1571af28f8da276adad56dfe12009028e1689b8c0a82c2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
cb73abc79962e67415463d53e4aad3c5

SHA1
07b671e5e89cd7b0d4da2ad996999b573b8b4457

SHA256
971fe17ff2999a3c171dc36999447366360a5cfababa0104d31a7ed713bf2d68

SHA512
7f97bc301f5fc3a64e9cb17649e1d13fff978afde3108625c741227b0d3139a8ead9a76282c748f8eab674a8a5fd1cbe24d1abdb97780f2c598ba610bae7a430

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
cb73abc79962e67415463d53e4aad3c5

SHA1
07b671e5e89cd7b0d4da2ad996999b573b8b4457

SHA256
971fe17ff2999a3c171dc36999447366360a5cfababa0104d31a7ed713bf2d68

SHA512
7f97bc301f5fc3a64e9cb17649e1d13fff978afde3108625c741227b0d3139a8ead9a76282c748f8eab674a8a5fd1cbe24d1abdb97780f2c598ba610bae7a430

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
c4739b3cb9ad1db8028bccd2ef2055b1

SHA1
787ef79aeac36054f9dd0ca9be0190ec23189837

SHA256
baf7e07817572b5b473cc38b4b747a8a5478a6a73fae48ca5bc4d009f15166cd

SHA512
abccad9e12f2cddacc7a62648318f410392a6bdc816b5a213a930f9b96dbf2ce3b8bf3d1b21e286df74d82941172e35ff365d9b480eeba70641a27f3c5ee68da

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
c4739b3cb9ad1db8028bccd2ef2055b1

SHA1
787ef79aeac36054f9dd0ca9be0190ec23189837

SHA256
baf7e07817572b5b473cc38b4b747a8a5478a6a73fae48ca5bc4d009f15166cd

SHA512
abccad9e12f2cddacc7a62648318f410392a6bdc816b5a213a930f9b96dbf2ce3b8bf3d1b21e286df74d82941172e35ff365d9b480eeba70641a27f3c5ee68da

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
013efc6030253ec651ec125cc8fd77d1

SHA1
64a52a07e472917f021982da3f5da7596e8c6ae2

SHA256
5e90507f36a8b56525092f4368669cb9dfed65aec0aea5589f61769e230ab4a9

SHA512
430a394a9f1cbe646bcb017edf9ff38b8bad5f452dd665f2b7f95e093327f9cf7371e37ccece7a9759ede6b09863655de0dbe04842328989a00d0fe0b56fd7ec

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
3bdc286a0adaebcc63c964eb3f4834d0

SHA1
dbb381fcc7e6c3928c961bc243c8fbff39f85feb

SHA256
34232722ce1f34aad77874f77188cef07344e6c85cc9c02ee9aa7d4b320acbf0

SHA512
079ec6c82e8dc6a04aa3b2e6a2869f88d5a45e06b43c80cb6cd3593dab5c61f32530c36b2386da8b89785d974ff0945408f58bd504e325c2f46b76917d136365

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d1e57c083518b8ab604b4c84a77d59ec

SHA1
60c7eb2b5c47691dac7fe8f403eecc43515f9315

SHA256
95afb49323611e1deb6e02ea3eb572af63c382f162aa1b69c01286e97fb0d93a

SHA512
1d2c5500a770c729adb02201edf0efbd1c80061b7963fab64bd3969025774912b37de5643f17bacc197a9fc6b8d73c97a869efccf5e92d74ee421c2b444aaa7e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d1e57c083518b8ab604b4c84a77d59ec

SHA1
60c7eb2b5c47691dac7fe8f403eecc43515f9315

SHA256
95afb49323611e1deb6e02ea3eb572af63c382f162aa1b69c01286e97fb0d93a

SHA512
1d2c5500a770c729adb02201edf0efbd1c80061b7963fab64bd3969025774912b37de5643f17bacc197a9fc6b8d73c97a869efccf5e92d74ee421c2b444aaa7e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
7a1871e5e4b0610b292e9b83498c6e07

SHA1
b92e2b60ef92bcb852fcfb721dcca8b3a8837435

SHA256
29891d76dc143edfe6301de08a7a5797d6caf530210cde6231e5f58ebbbc1f6d

SHA512
418eb14483fcd2323602f77cfac3d4fb35986d49616f9d75373ada8089b2d7b0963de57d3d76ce0df7f178b439315109e4dfb2a2cde83e1e27c1693433269a37

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d61f7b6ffdb3faa5d156357b602d110d

SHA1
5393e7e5928c62037883eb3eb71431477ae6348e

SHA256
b27f4d57dbbd465c53009e4b091df7ba882985de909c3331455af4da85dd4111

SHA512
d799b13eede75c9fbbfa9070d7d4efc741ce25acfa7a9b5baab9f580938b2a85d3202d2d2d5a4408ebdc4caad29a9c94106efa6704bc2f0e3fb525f5deb77f3a

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
df321c49b16a5973934e81c8cccf898c

SHA1
aca187a055934754851aeaf8e043b9309b1adec3

SHA256
ca27e87f106a3763ff243a41e8dfc480b9084663026c73b443bc77697f64432f

SHA512
cf0895d5161fed76842a126782378793fd7d1d4982bec952f87db3fce6d1550239b81c20b69d2df59a3dd954e0109666d69d0de65f8d803c7d522016021b7dcc

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
df321c49b16a5973934e81c8cccf898c

SHA1
aca187a055934754851aeaf8e043b9309b1adec3

SHA256
ca27e87f106a3763ff243a41e8dfc480b9084663026c73b443bc77697f64432f

SHA512
cf0895d5161fed76842a126782378793fd7d1d4982bec952f87db3fce6d1550239b81c20b69d2df59a3dd954e0109666d69d0de65f8d803c7d522016021b7dcc

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d36b01968948f3c4a15a16fd82c56afa

SHA1
56bbb19592337f8f0bd97ecaf268cf3144608ac7

SHA256
1b1b552b873e4bf4439aaa13052406a96abf31d4557fde9774d9fdd21e517b41

SHA512
d551d69cfd6e03c6a1ad1e0fa120943b022b8b933e3654c2c4487e45dc474bef2131c8a6b25a752929389f5c00c9dc0ae965bd0dd3bfc06fdde9a8cd4f395154

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d36b01968948f3c4a15a16fd82c56afa

SHA1
56bbb19592337f8f0bd97ecaf268cf3144608ac7

SHA256
1b1b552b873e4bf4439aaa13052406a96abf31d4557fde9774d9fdd21e517b41

SHA512
d551d69cfd6e03c6a1ad1e0fa120943b022b8b933e3654c2c4487e45dc474bef2131c8a6b25a752929389f5c00c9dc0ae965bd0dd3bfc06fdde9a8cd4f395154

Download Submit
\Users\Admin\AppData\Local\Temp\2152984303\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
\Users\Admin\AppData\Local\Temp\2152984303\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5f75d4f29fafb2a79524a603bcf6644e

SHA1
30c4a098b9797360535085f71bba81cb1311b21a

SHA256
b6ded424a7ff661f36aadae3658cbd4a8090c6ee5a76d42d8b0b0fd575590c6e

SHA512
281801b40bbe5e5a588b8c9ccb44061d33e176517998f15569a34a2b87dbfefa5d51e6d61744718e30e7d9d0738e267e85247edcbee7758da00f968dd3ef9c28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
3e2d98da7d5d72c2f903fc7abb229cff

SHA1
0da186eb5d299ead692d0251d0a94c525aaa5c27

SHA256
1c73c63f0682cba2606f6492084d52f383b7085836beaf0af1f3011b8f4261f5

SHA512
7676185495e28f43246ee97c60743ff7c515d0e69df50f83685644f1d3fad099bde6f431f6e4c8dc5510aedc7f59ac5b3534c66af11f096325e4936fac4d969a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
3e2d98da7d5d72c2f903fc7abb229cff

SHA1
0da186eb5d299ead692d0251d0a94c525aaa5c27

SHA256
1c73c63f0682cba2606f6492084d52f383b7085836beaf0af1f3011b8f4261f5

SHA512
7676185495e28f43246ee97c60743ff7c515d0e69df50f83685644f1d3fad099bde6f431f6e4c8dc5510aedc7f59ac5b3534c66af11f096325e4936fac4d969a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5dfd2dd881ba5fdf5b09b50b633efdf6

SHA1
f68c551718761e8db778a7527575c2a4db6ddc20

SHA256
1af82f4048480cae9583809bd5ee1a4e03b6b873762f774a804c2117611b9b45

SHA512
79fca187cd0592eae1f92caa17091719b250df906e19427d14d7e7233d13216f93e86e4fd1833c519fb39200d6e9a163fa5b2b5a866a2d32f1e3385ad5108c4f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
8099d5222075d1b32cb582a2761d7119

SHA1
f53a6a07b3e9bd26fa07989f90102b3ea3160911

SHA256
aa422686bd8084509ec2253d736bdb40d61bd7e8ea40895afcd35d47f60e703d

SHA512
91d09c740c5763cfd6e809752af7ca23aef85b3e5c936cbc6f00035397a98a21ded755a359ddd18a8131ab0bd795eb8d5f1c9eef68a595fda879a7138c6dcea7

Download Submit
memory/1404-117-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads