cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5

Analysis

max time kernel
109s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
Size

72KB
MD5

44989d95b96c4919b14d3954351861b9
SHA1

7bdab7c6bd8b100623d7d664a14b39ad31b66f99
SHA256

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5
SHA512

082ff029cd0f6eac55e3c3a60b8b8d0c8f30b9a26d178ac8350942d3d78eec462b589128b302058ee7ca5e7223be769b7257c939b970ee77d62b8a08d4ccd8cc
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3DZb:teThavEjDWguK1b

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
996	backup.exe
1604	backup.exe
1408	backup.exe
1672	backup.exe
1048	backup.exe
1272	backup.exe
676	backup.exe
868	backup.exe
972	backup.exe
1392	backup.exe
1168	backup.exe
1756	backup.exe
804	backup.exe
1472	backup.exe
1568	data.exe
2004	backup.exe
108	backup.exe
952	data.exe
848	backup.exe
1512	backup.exe
1264	backup.exe
1788	backup.exe
1048	backup.exe
1272	backup.exe
592	backup.exe
280	backup.exe
1560	backup.exe
524	update.exe
932	backup.exe
360	backup.exe
1776	backup.exe
1328	backup.exe
1800	backup.exe
1384	backup.exe
1612	backup.exe
1524	backup.exe
1688	update.exe
1056	backup.exe
988	backup.exe
1172	backup.exe
1620	backup.exe
1532	backup.exe
872	backup.exe
1320	backup.exe
1548	backup.exe
952	backup.exe
1812	backup.exe
596	backup.exe
1124	backup.exe
1212	backup.exe
1564	backup.exe
1576	backup.exe
304	backup.exe
1352	backup.exe
1084	backup.exe
1644	backup.exe
572	System Restore.exe
1872	backup.exe
1740	data.exe
1844	backup.exe
976	backup.exe
1756	backup.exe
1596	backup.exe
1240	backup.exe

Loads dropped DLL 64 IoCs

Processes:

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exe

pid	process
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
868	backup.exe
868	backup.exe
972	backup.exe
972	backup.exe
868	backup.exe
868	backup.exe
1168	backup.exe
1168	backup.exe
1756	backup.exe
1756	backup.exe
1168	backup.exe
1168	backup.exe
1472	backup.exe
1472	backup.exe
1568	data.exe
1568	data.exe
1568	data.exe
1568	data.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
868	backup.exe
1168	backup.exe
868	backup.exe
1168	backup.exe
1472	backup.exe
108	backup.exe
108	backup.exe
1568	data.exe
1568	data.exe
1168	backup.exe
108	backup.exe
868	backup.exe
1568	data.exe
1568	data.exe
1472	backup.exe
868	backup.exe
1168	backup.exe
1472	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe

Drops file in Windows directory 4 IoCs

Processes:

backup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe

pid process

912 cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
996	backup.exe
1604	backup.exe
1408	backup.exe
1672	backup.exe
1048	backup.exe
1272	backup.exe
676	backup.exe
868	backup.exe
972	backup.exe
1392	backup.exe
1168	backup.exe
1756	backup.exe
804	backup.exe
1472	backup.exe
1568	data.exe
2004	backup.exe
108	backup.exe
952	data.exe
848	backup.exe
1512	backup.exe
1264	backup.exe
1788	backup.exe
1048	backup.exe
1272	backup.exe
592	backup.exe
280	backup.exe
1560	backup.exe
932	backup.exe
1800	backup.exe
1328	backup.exe
360	backup.exe
1384	backup.exe
1776	backup.exe
524	update.exe
1612	backup.exe
1056	backup.exe
1688	update.exe
1172	backup.exe
988	backup.exe
1524	backup.exe
1620	backup.exe
1548	backup.exe
1812	backup.exe
952	backup.exe
1532	backup.exe
1320	backup.exe
596	backup.exe
1124	backup.exe
1212	backup.exe
1564	backup.exe
1576	backup.exe
1352	backup.exe
1084	backup.exe
1644	backup.exe
304	backup.exe
572	System Restore.exe
1596	backup.exe
1756	backup.exe
1872	backup.exe
976	backup.exe
1844	backup.exe
904	backup.exe
1524	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exe

description	pid	process	target process
PID 912 wrote to memory of 996	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 996	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 996	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 996	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1604	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1604	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1604	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1604	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1408	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1408	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1408	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1408	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1672	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1672	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1672	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1672	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1048	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1048	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1048	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1048	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1272	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1272	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1272	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 1272	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 676	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 676	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 676	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 912 wrote to memory of 676	912	cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe	backup.exe
PID 996 wrote to memory of 868	996	backup.exe	backup.exe
PID 996 wrote to memory of 868	996	backup.exe	backup.exe
PID 996 wrote to memory of 868	996	backup.exe	backup.exe
PID 996 wrote to memory of 868	996	backup.exe	backup.exe
PID 868 wrote to memory of 972	868	backup.exe	backup.exe
PID 868 wrote to memory of 972	868	backup.exe	backup.exe
PID 868 wrote to memory of 972	868	backup.exe	backup.exe
PID 868 wrote to memory of 972	868	backup.exe	backup.exe
PID 972 wrote to memory of 1392	972	backup.exe	backup.exe
PID 972 wrote to memory of 1392	972	backup.exe	backup.exe
PID 972 wrote to memory of 1392	972	backup.exe	backup.exe
PID 972 wrote to memory of 1392	972	backup.exe	backup.exe
PID 868 wrote to memory of 1168	868	backup.exe	backup.exe
PID 868 wrote to memory of 1168	868	backup.exe	backup.exe
PID 868 wrote to memory of 1168	868	backup.exe	backup.exe
PID 868 wrote to memory of 1168	868	backup.exe	backup.exe
PID 1168 wrote to memory of 1756	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1756	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1756	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1756	1168	backup.exe	backup.exe
PID 1756 wrote to memory of 804	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 804	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 804	1756	backup.exe	backup.exe
PID 1756 wrote to memory of 804	1756	backup.exe	backup.exe
PID 1168 wrote to memory of 1472	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1472	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1472	1168	backup.exe	backup.exe
PID 1168 wrote to memory of 1472	1168	backup.exe	backup.exe
PID 1472 wrote to memory of 1568	1472	backup.exe	data.exe
PID 1472 wrote to memory of 1568	1472	backup.exe	data.exe
PID 1472 wrote to memory of 1568	1472	backup.exe	data.exe
PID 1472 wrote to memory of 1568	1472	backup.exe	data.exe
PID 1568 wrote to memory of 2004	1568	data.exe	backup.exe
PID 1568 wrote to memory of 2004	1568	data.exe	backup.exe
PID 1568 wrote to memory of 2004	1568	data.exe	backup.exe
PID 1568 wrote to memory of 2004	1568	data.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe
"C:\Users\Admin\AppData\Local\Temp\cac6a50728c3a8a1cbbb4d9225d4cc9b1d02e0a90eeaa51030bfd0e6564b9bb5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\2486822613\backup.exe
C:\Users\Admin\AppData\Local\Temp\2486822613\backup.exe C:\Users\Admin\AppData\Local\Temp\2486822613\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:996

C:\backup.exe
\backup.exe \
3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1392

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1168

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:804

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1472

C:\Program Files\Common Files\Microsoft Shared\data.exe
"C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:108

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:952

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:848

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1512

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1788

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1048

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1560

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1548

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1212

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- System policy modification
PID:1740

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1824

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1644

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
PID:1660

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
PID:268

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
PID:964

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
PID:2120

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
PID:2312

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1384

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
PID:1872

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
PID:320

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
PID:1548

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
PID:2216

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
PID:2396

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:932

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1320

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1352

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1756

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
- System policy modification
PID:472

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:692

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:360

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1532

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1084

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
PID:1240

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2028

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1412

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:1780

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:580

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:1632

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:2160

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
PID:2352

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1580

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:824

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:524

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:1744

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:2152

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:2336

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:1352

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:2040

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:2184

C:\Program Files\Common Files\Services\update.exe
"C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1800

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1172

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Executes dropped EXE
PID:872

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:280

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:596

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:304

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1872

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:904

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
- Modifies visibility of file extensions in Explorer
PID:284

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1528

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
PID:776

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:988

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:952

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1576

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:976

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1524

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- Modifies visibility of file extensions in Explorer
PID:596

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1068

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:1324

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
PID:984

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
PID:1132

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
PID:2224

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:524

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1048

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1656

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
PID:300

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:1788

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:1532

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:360

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:2176

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:2360

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1784

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:1824

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:1068

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:2192

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:2344

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:592

C:\Program Files (x86)\Adobe\update.exe
"C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1688

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1564

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:572

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- System policy modification
PID:1796

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
- System policy modification
PID:580

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
- Drops file in Program Files directory
- System policy modification
PID:1084

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:1772

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:932

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:804

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1240

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
PID:2168

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
PID:2368

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1672

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:976

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:472

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:1412

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:2144

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
PID:2320

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:2004

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:436

C:\Program Files (x86)\Common Files\Adobe\update.exe
"C:\Program Files (x86)\Common Files\Adobe\update.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
PID:1592

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:284

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:1468

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
PID:2128

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:2388

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:596

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:952

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:2136

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:2328

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1776

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
- System policy modification
PID:1548

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:1612

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1380

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:1688

C:\Users\Admin\Pictures\update.exe
C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
6⤵
PID:692

C:\Users\Admin\Saved Games\System Restore.exe
"C:\Users\Admin\Saved Games\System Restore.exe" C:\Users\Admin\Saved Games\
6⤵
PID:1776

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:2108

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:2296

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1536

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:284

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:856

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
PID:908

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:1644

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:2208

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:2404

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in Windows directory
PID:1828

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:1616

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
PID:676

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
PID:868

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
PID:2100

C:\Windows\Branding\backup.exe
C:\Windows\Branding\backup.exe C:\Windows\Branding\
5⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1672

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1272

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
9a85003b99b8aea1d5d37bb41d4c528c

SHA1
f887f362f23604bb69af964261a6a2e0270aa67f

SHA256
438016bd187a9ca389c625c4e15e93269c52f1472e6743d00bd5c9fa912b9c3a

SHA512
33cf8b4444998d6f716bd2966b9bf1e7ea94441b26220525382d14f5f80ed5089ee5bc7047e37e3ebb4cd2a64299c4edcbeb2c84378eded9633454014b979b33

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
e856a0c232de391027d33027460a7ab9

SHA1
7f9692fd054442c20d28120898c3da16266eb11b

SHA256
f6f17e5bb0cc6597cd5fe0888a284918d0547e179899202ff1467f61707d74a7

SHA512
6594c1cbff58c1cfcd07bdf6ca7998bd0164106172041b82712cd989b9e8f0724853023c7b8d010e669c2059c5122d06cb08e72f4365d6368c4a9eccaad2d07a

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
e856a0c232de391027d33027460a7ab9

SHA1
7f9692fd054442c20d28120898c3da16266eb11b

SHA256
f6f17e5bb0cc6597cd5fe0888a284918d0547e179899202ff1467f61707d74a7

SHA512
6594c1cbff58c1cfcd07bdf6ca7998bd0164106172041b82712cd989b9e8f0724853023c7b8d010e669c2059c5122d06cb08e72f4365d6368c4a9eccaad2d07a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
b62478584edd28df4d24d7bb1109a4d0

SHA1
ad62e959b60153e56d44eee109cf9ded7cc4211e

SHA256
3563d6140aa23d11a7916a8f48d6d47994dda864ea6ca327c5b072c0783b5507

SHA512
efbc44c805735088f3091e9c27cecc495feef9f5da85d604c5e8f76f8255967034fe1e219805e417005c030f4256f0e92ec19f1d9931ff60525ef751e25bc9be

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
b62478584edd28df4d24d7bb1109a4d0

SHA1
ad62e959b60153e56d44eee109cf9ded7cc4211e

SHA256
3563d6140aa23d11a7916a8f48d6d47994dda864ea6ca327c5b072c0783b5507

SHA512
efbc44c805735088f3091e9c27cecc495feef9f5da85d604c5e8f76f8255967034fe1e219805e417005c030f4256f0e92ec19f1d9931ff60525ef751e25bc9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2486822613\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2486822613\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
C:\backup.exe
Filesize
72KB

MD5
638b5231fc5c9fcea6c50bfe2c1b893e

SHA1
3390d4fc5644b4627876b6cd6741fe1ef3fb1733

SHA256
54c57658593cb86015b11fd4dc26dc484af2cddd2e267070cbba8b079f10a592

SHA512
eb9bd7e904a47b4ee8dfb39c2a24588c2bcb4473ec814083eceac31bbc2cdb7233aef6838c882e8e2faba206439c54d4b2c80b7335b243292bad12fff548a920

Download Submit
C:\backup.exe
Filesize
72KB

MD5
638b5231fc5c9fcea6c50bfe2c1b893e

SHA1
3390d4fc5644b4627876b6cd6741fe1ef3fb1733

SHA256
54c57658593cb86015b11fd4dc26dc484af2cddd2e267070cbba8b079f10a592

SHA512
eb9bd7e904a47b4ee8dfb39c2a24588c2bcb4473ec814083eceac31bbc2cdb7233aef6838c882e8e2faba206439c54d4b2c80b7335b243292bad12fff548a920

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
9a85003b99b8aea1d5d37bb41d4c528c

SHA1
f887f362f23604bb69af964261a6a2e0270aa67f

SHA256
438016bd187a9ca389c625c4e15e93269c52f1472e6743d00bd5c9fa912b9c3a

SHA512
33cf8b4444998d6f716bd2966b9bf1e7ea94441b26220525382d14f5f80ed5089ee5bc7047e37e3ebb4cd2a64299c4edcbeb2c84378eded9633454014b979b33

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
9a85003b99b8aea1d5d37bb41d4c528c

SHA1
f887f362f23604bb69af964261a6a2e0270aa67f

SHA256
438016bd187a9ca389c625c4e15e93269c52f1472e6743d00bd5c9fa912b9c3a

SHA512
33cf8b4444998d6f716bd2966b9bf1e7ea94441b26220525382d14f5f80ed5089ee5bc7047e37e3ebb4cd2a64299c4edcbeb2c84378eded9633454014b979b33

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
e856a0c232de391027d33027460a7ab9

SHA1
7f9692fd054442c20d28120898c3da16266eb11b

SHA256
f6f17e5bb0cc6597cd5fe0888a284918d0547e179899202ff1467f61707d74a7

SHA512
6594c1cbff58c1cfcd07bdf6ca7998bd0164106172041b82712cd989b9e8f0724853023c7b8d010e669c2059c5122d06cb08e72f4365d6368c4a9eccaad2d07a

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
e856a0c232de391027d33027460a7ab9

SHA1
7f9692fd054442c20d28120898c3da16266eb11b

SHA256
f6f17e5bb0cc6597cd5fe0888a284918d0547e179899202ff1467f61707d74a7

SHA512
6594c1cbff58c1cfcd07bdf6ca7998bd0164106172041b82712cd989b9e8f0724853023c7b8d010e669c2059c5122d06cb08e72f4365d6368c4a9eccaad2d07a

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe
Filesize
72KB

MD5
09978e8970463e9275119808f416dc71

SHA1
1b57ab5cbad31e5da2eaaf1d89b1055cbabfe4bf

SHA256
5676bb772c10f31a7a555a83586b96dc8b4cd33c5b8d15f3cbe2921725f6ee3b

SHA512
78ea3dfebc523df562b80c02051d0f8516c0867a2352c554a5e25f8eaf0b7a9a5edd47ba353ce6090a659d7c31be6ebba153106840fc18472b96d42cbd641c21

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
8504ed4a5b4865d63275beaf03b6c86f

SHA1
e0491b9a4c8710292d2f3e05d1ab4060ba4536db

SHA256
44b5925f579fb521a21851ce881335376a87974776b0cbf900f9824f6f0f6d4a

SHA512
e1e1787772c796eb1d2685b4a176dc7346aac34fdc428ee6e99798d0052263603950698cb2eba5a55a865fecd1a0f5a05715c3376c8d9fa8ca443ddfa49d1392

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
1876a9fc346cb59e6f9e2c1a2b71d3e6

SHA1
cd427ecdea45320821faa1567e54df624011af58

SHA256
8b2f3662be979c436a6c9f88378a37dc515fb5b972d04c49a0205ae3510d71c6

SHA512
65f746f84fa9f08ec09357b0e0bdc7d2add24c4b930cbb8a94944473f9d90388a2b8173634a2aaea380d507e2a1f4439378f56ac25639a6d3b41334eca740b86

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
e201361bf2f73a69d76f6c76a5ca6c90

SHA1
4d23b8d9f2d82a54e01a4fd9ad9d6cafe9dd7cfa

SHA256
ae9d8eb9769164673490814025455c5485745f059247c0f55cbef854e66fd7da

SHA512
63cb7ad61ea4f7df207c39986f1bd130e809c68aa59a4ea48a048e5da7aa2e67859aba0973512d1edce3afd4201ce015b1758c630f2e53195ee0a87364e68e70

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
102737e6ae431c968c70995bd15d62cf

SHA1
d0a200af4cf6fe6fde0d3983e3a3241ce685e58a

SHA256
ef52e5685f1e24f859c0a27ce634be4e0812fcfcbbcd6946df23784121132a94

SHA512
9429b2b93da4c7fc14150d3f4b5260142ede6baa7d803f2715fa1147b2ed78fcdfb04889e3effc17cdd585774489486aa5550778f92524abca7516b606470ba3

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
b62478584edd28df4d24d7bb1109a4d0

SHA1
ad62e959b60153e56d44eee109cf9ded7cc4211e

SHA256
3563d6140aa23d11a7916a8f48d6d47994dda864ea6ca327c5b072c0783b5507

SHA512
efbc44c805735088f3091e9c27cecc495feef9f5da85d604c5e8f76f8255967034fe1e219805e417005c030f4256f0e92ec19f1d9931ff60525ef751e25bc9be

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
b62478584edd28df4d24d7bb1109a4d0

SHA1
ad62e959b60153e56d44eee109cf9ded7cc4211e

SHA256
3563d6140aa23d11a7916a8f48d6d47994dda864ea6ca327c5b072c0783b5507

SHA512
efbc44c805735088f3091e9c27cecc495feef9f5da85d604c5e8f76f8255967034fe1e219805e417005c030f4256f0e92ec19f1d9931ff60525ef751e25bc9be

Download Submit
\Users\Admin\AppData\Local\Temp\2486822613\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\2486822613\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
5aae7f910074d118e62d2bc5042d1995

SHA1
9656f0360d2063f518565dd2661cc3ad1eb2dab5

SHA256
d8421a005834e9cfdc84b11de1ffab152e06183505fed968ae5d1b895797467a

SHA512
2795789b387afc5ca719110671f30a5da69d479edd7aaae61d5a7c57a3d062fb346ba4ba1ced44829d34fdcfa66c76392927821a6206e713faa131a36ba51cda

Download Submit
memory/108-161-0x0000000000000000-mapping.dmp

Download
memory/280-195-0x0000000000000000-mapping.dmp

Download
memory/304-279-0x0000000000000000-mapping.dmp

Download
memory/360-208-0x0000000000000000-mapping.dmp

Download
memory/524-203-0x0000000000000000-mapping.dmp

Download
memory/572-288-0x0000000000000000-mapping.dmp

Download
memory/592-194-0x0000000000000000-mapping.dmp

Download
memory/596-260-0x0000000000000000-mapping.dmp

Download
memory/676-94-0x0000000000000000-mapping.dmp

Download
memory/804-134-0x0000000000000000-mapping.dmp

Download
memory/848-174-0x0000000000000000-mapping.dmp

Download
memory/868-100-0x0000000000000000-mapping.dmp

Download
memory/872-247-0x0000000000000000-mapping.dmp

Download
memory/912-143-0x00000000744F1000-0x00000000744F3000-memory.dmp

Filesize
8KB

Download
memory/912-98-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/932-204-0x0000000000000000-mapping.dmp

Download
memory/952-168-0x0000000000000000-mapping.dmp

Download
memory/952-250-0x0000000000000000-mapping.dmp

Download
memory/972-107-0x0000000000000000-mapping.dmp

Download
memory/976-300-0x0000000000000000-mapping.dmp

Download
memory/988-231-0x0000000000000000-mapping.dmp

Download
memory/996-58-0x0000000000000000-mapping.dmp

Download
memory/1048-188-0x0000000000000000-mapping.dmp

Download
memory/1048-82-0x0000000000000000-mapping.dmp

Download
memory/1056-233-0x0000000000000000-mapping.dmp

Download
memory/1084-281-0x0000000000000000-mapping.dmp

Download
memory/1124-268-0x0000000000000000-mapping.dmp

Download
memory/1168-120-0x0000000000000000-mapping.dmp

Download
memory/1172-234-0x0000000000000000-mapping.dmp

Download
memory/1212-270-0x0000000000000000-mapping.dmp

Download
memory/1240-305-0x0000000000000000-mapping.dmp

Download
memory/1264-182-0x0000000000000000-mapping.dmp

Download
memory/1272-191-0x0000000000000000-mapping.dmp

Download
memory/1272-88-0x0000000000000000-mapping.dmp

Download
memory/1320-245-0x0000000000000000-mapping.dmp

Download
memory/1328-210-0x0000000000000000-mapping.dmp

Download
memory/1352-280-0x0000000000000000-mapping.dmp

Download
memory/1384-212-0x0000000000000000-mapping.dmp

Download
memory/1392-114-0x0000000000000000-mapping.dmp

Download
memory/1408-70-0x0000000000000000-mapping.dmp

Download
memory/1472-140-0x0000000000000000-mapping.dmp

Download
memory/1512-179-0x0000000000000000-mapping.dmp

Download
memory/1524-223-0x0000000000000000-mapping.dmp

Download
memory/1532-244-0x0000000000000000-mapping.dmp

Download
memory/1548-251-0x0000000000000000-mapping.dmp

Download
memory/1560-200-0x0000000000000000-mapping.dmp

Download
memory/1564-273-0x0000000000000000-mapping.dmp

Download
memory/1568-148-0x0000000000000000-mapping.dmp

Download
memory/1576-278-0x0000000000000000-mapping.dmp

Download
memory/1596-302-0x0000000000000000-mapping.dmp

Download
memory/1604-64-0x0000000000000000-mapping.dmp

Download
memory/1612-224-0x0000000000000000-mapping.dmp

Download
memory/1620-242-0x0000000000000000-mapping.dmp

Download
memory/1644-285-0x0000000000000000-mapping.dmp

Download
memory/1672-76-0x0000000000000000-mapping.dmp

Download
memory/1688-225-0x0000000000000000-mapping.dmp

Download
memory/1740-299-0x0000000000000000-mapping.dmp

Download
memory/1756-127-0x0000000000000000-mapping.dmp

Download
memory/1756-298-0x0000000000000000-mapping.dmp

Download
memory/1776-209-0x0000000000000000-mapping.dmp

Download
memory/1788-185-0x0000000000000000-mapping.dmp

Download
memory/1800-211-0x0000000000000000-mapping.dmp

Download
memory/1812-257-0x0000000000000000-mapping.dmp

Download
memory/1844-301-0x0000000000000000-mapping.dmp

Download
memory/1872-297-0x0000000000000000-mapping.dmp

Download
memory/2004-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads