ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523

Analysis

max time kernel
100s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
Size

72KB
MD5

ded68b44df00ede52e08dddad7a2cda1
SHA1

0fbf288b15b5d74e8df03c60736c85464ea45fba
SHA256

ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523
SHA512

9a22b984cc5bd7134d820c7235b45b0e0bc126a6014f29c38424978425e517ab8f575dbce9d03c0d2816069029e16130b6928e21c501fad9a153bbf3593563f5
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyv8:HeT7BVwxfvqguKRFAp

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
940	backup.exe
1620	backup.exe
268	System Restore.exe
1860	System Restore.exe
1752	backup.exe
1884	backup.exe
1844	backup.exe
296	backup.exe
1800	backup.exe
1692	backup.exe
1116	System Restore.exe
1960	backup.exe
1612	backup.exe
1532	backup.exe
1164	update.exe
1568	backup.exe
1592	backup.exe
1576	backup.exe
1084	backup.exe
1120	backup.exe
108	backup.exe
1752	backup.exe
532	backup.exe
892	backup.exe
968	backup.exe
676	backup.exe
1524	backup.exe
1892	backup.exe
1800	backup.exe
1680	System Restore.exe
988	backup.exe
1196	backup.exe
1612	System Restore.exe
812	backup.exe
1608	backup.exe
1104	backup.exe
1476	backup.exe
792	backup.exe
1568	backup.exe
540	backup.exe
1180	backup.exe
1496	backup.exe
1860	backup.exe
1300	backup.exe
1492	backup.exe
896	backup.exe
660	backup.exe
552	backup.exe
676	backup.exe
624	backup.exe
1524	backup.exe
1816	backup.exe
2016	backup.exe
988	backup.exe
428	data.exe
1996	backup.exe
1548	backup.exe
1184	backup.exe
1104	backup.exe
936	backup.exe
1672	backup.exe
1600	backup.exe
328	backup.exe
1700	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
1844	backup.exe
1844	backup.exe
1800	backup.exe
1800	backup.exe
1844	backup.exe
1844	backup.exe
1116	System Restore.exe
1116	System Restore.exe
1960	backup.exe
1960	backup.exe
1116	System Restore.exe
1116	System Restore.exe
1532	backup.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1164	update.exe
1568	backup.exe
1568	backup.exe
1568	backup.exe
1164	update.exe
1164	update.exe
1592	backup.exe
1592	backup.exe
1592	backup.exe
1592	backup.exe
1592	backup.exe
1576	backup.exe
1576	backup.exe
1576	backup.exe
1592	backup.exe
1592	backup.exe
1084	backup.exe
1084	backup.exe
1084	backup.exe
1592	backup.exe
1592	backup.exe
1120	backup.exe
1120	backup.exe
1120	backup.exe
1592	backup.exe
1592	backup.exe
108	backup.exe
108	backup.exe
108	backup.exe
1592	backup.exe
1592	backup.exe
1752	backup.exe
1752	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\data.exe	backup.exe
File opened for modification	C:\Program Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
940	backup.exe
1620	backup.exe
268	System Restore.exe
1860	System Restore.exe
1752	backup.exe
1884	backup.exe
1844	backup.exe
296	backup.exe
1800	backup.exe
1692	backup.exe
1116	System Restore.exe
1960	backup.exe
1612	backup.exe
1532	backup.exe
1164	update.exe
1568	backup.exe
1592	backup.exe
1576	backup.exe
1084	backup.exe
1120	backup.exe
108	backup.exe
1752	backup.exe
532	backup.exe
892	backup.exe
968	backup.exe
676	backup.exe
1524	backup.exe
1892	backup.exe
1800	backup.exe
1680	System Restore.exe
988	backup.exe
1196	backup.exe
1612	System Restore.exe
812	backup.exe
1608	backup.exe
1104	backup.exe
1476	backup.exe
792	backup.exe
1568	backup.exe
540	backup.exe
1180	backup.exe
1496	backup.exe
1860	backup.exe
1300	backup.exe
1492	backup.exe
896	backup.exe
660	backup.exe
552	backup.exe
676	backup.exe
1816	backup.exe
2016	backup.exe
624	backup.exe
1524	backup.exe
988	backup.exe
428	data.exe
1548	backup.exe
1996	backup.exe
1184	backup.exe
1104	backup.exe
1748	backup.exe
584	backup.exe
936	backup.exe
1496	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 940	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	28
PID 1772 wrote to memory of 940	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	28
PID 1772 wrote to memory of 940	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	28
PID 1772 wrote to memory of 940	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	28
PID 1772 wrote to memory of 1620	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	29
PID 1772 wrote to memory of 1620	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	29
PID 1772 wrote to memory of 1620	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	29
PID 1772 wrote to memory of 1620	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	29
PID 1772 wrote to memory of 268	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	30
PID 1772 wrote to memory of 268	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	30
PID 1772 wrote to memory of 268	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	30
PID 1772 wrote to memory of 268	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	30
PID 1772 wrote to memory of 1860	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	31
PID 1772 wrote to memory of 1860	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	31
PID 1772 wrote to memory of 1860	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	31
PID 1772 wrote to memory of 1860	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	31
PID 1772 wrote to memory of 1752	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	32
PID 1772 wrote to memory of 1752	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	32
PID 1772 wrote to memory of 1752	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	32
PID 1772 wrote to memory of 1752	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	32
PID 1772 wrote to memory of 1884	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	33
PID 1772 wrote to memory of 1884	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	33
PID 1772 wrote to memory of 1884	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	33
PID 1772 wrote to memory of 1884	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	33
PID 940 wrote to memory of 1844	940	backup.exe	34
PID 940 wrote to memory of 1844	940	backup.exe	34
PID 940 wrote to memory of 1844	940	backup.exe	34
PID 940 wrote to memory of 1844	940	backup.exe	34
PID 1772 wrote to memory of 296	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	35
PID 1772 wrote to memory of 296	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	35
PID 1772 wrote to memory of 296	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	35
PID 1772 wrote to memory of 296	1772	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe	35
PID 1844 wrote to memory of 1800	1844	backup.exe	36
PID 1844 wrote to memory of 1800	1844	backup.exe	36
PID 1844 wrote to memory of 1800	1844	backup.exe	36
PID 1844 wrote to memory of 1800	1844	backup.exe	36
PID 1800 wrote to memory of 1692	1800	backup.exe	37
PID 1800 wrote to memory of 1692	1800	backup.exe	37
PID 1800 wrote to memory of 1692	1800	backup.exe	37
PID 1800 wrote to memory of 1692	1800	backup.exe	37
PID 1844 wrote to memory of 1116	1844	backup.exe	38
PID 1844 wrote to memory of 1116	1844	backup.exe	38
PID 1844 wrote to memory of 1116	1844	backup.exe	38
PID 1844 wrote to memory of 1116	1844	backup.exe	38
PID 1116 wrote to memory of 1960	1116	System Restore.exe	39
PID 1116 wrote to memory of 1960	1116	System Restore.exe	39
PID 1116 wrote to memory of 1960	1116	System Restore.exe	39
PID 1116 wrote to memory of 1960	1116	System Restore.exe	39
PID 1960 wrote to memory of 1612	1960	backup.exe	40
PID 1960 wrote to memory of 1612	1960	backup.exe	40
PID 1960 wrote to memory of 1612	1960	backup.exe	40
PID 1960 wrote to memory of 1612	1960	backup.exe	40
PID 1116 wrote to memory of 1532	1116	System Restore.exe	41
PID 1116 wrote to memory of 1532	1116	System Restore.exe	41
PID 1116 wrote to memory of 1532	1116	System Restore.exe	41
PID 1116 wrote to memory of 1532	1116	System Restore.exe	41
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1532 wrote to memory of 1164	1532	backup.exe	42
PID 1164 wrote to memory of 1568	1164	update.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe
"C:\Users\Admin\AppData\Local\Temp\ad873bb9c88a0b3d40c59f5825241c604f94c3ac9a96c008f562f965ed8c7523.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1772
- C:\Users\Admin\AppData\Local\Temp\3697973640\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3697973640\backup.exe C:\Users\Admin\AppData\Local\Temp\3697973640\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:940
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1844
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1800
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1116
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1960
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1532
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        System policy modification
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2064
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\VC\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2052
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:676
      - C:\Program Files\Common Files\SpeechEngines\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\data.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:428
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:540
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:328
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1744
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:684
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1588
        
        C:\Program Files\Common Files\System\en-US\update.exe
        
        "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1092
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1816
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:528
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1504
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1568
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:960
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:988
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1104
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1492
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1780
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1220
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1480
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1720
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:536
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1100
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1672
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1940
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1176
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1284
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:868
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1068
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1052
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1736
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:624
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1700
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:840
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1552
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2072
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:568
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1184
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1652
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:772
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1560
      - C:\Users\Admin\Downloads\update.exe
        
        C:\Users\Admin\Downloads\update.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:296
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        
        PID:964
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:580
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
31f167e0ff2f7ba195e67eacb592bc9f

SHA1
c9c3eba90c2498ccb01cec98723aa457f46f29c8

SHA256
aee2c04fbab93ca427f1b8287cf2ba0302225ec98f4010a3aa341746225abacc

SHA512
68c7dbc631f649000c6c4c8415bf19e32340bdac7e9f1f9686e0935db710a72efafd6e2ac6bd05cc90a63c6a154bd16c822eb49361fd54e61bbb07ebcb2a60a9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
6416ae48abfc4e1f95996b53f51800f3

SHA1
6195cff56d5b7f627fe68a32f596101b32bc84de

SHA256
3dd3ceac8a517300bc6c2f4812723a89bef53051cef5711c82c56cbe9037de43

SHA512
11df4cc10fc9ec55fda234976a84e26391548c733214bca60630f55dd11a5c7e030ac5ec248e442bb88a4bcb8e8b25e3a2598b6492c4c4044841544417301fd2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
6416ae48abfc4e1f95996b53f51800f3

SHA1
6195cff56d5b7f627fe68a32f596101b32bc84de

SHA256
3dd3ceac8a517300bc6c2f4812723a89bef53051cef5711c82c56cbe9037de43

SHA512
11df4cc10fc9ec55fda234976a84e26391548c733214bca60630f55dd11a5c7e030ac5ec248e442bb88a4bcb8e8b25e3a2598b6492c4c4044841544417301fd2

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
0534dc937cd4f641a7a437447e62561c

SHA1
42f1c8dc25e7370acc93864f370ef6f580e8f07f

SHA256
e404e6308685e16a484f333bf617421707e26f9899281bc75b268e1d80d73e1e

SHA512
2ae34aa7d2f1b70c1b9b89fd457decba315121d0d042e22db01a6659148c8c99ff7bbc68a4dd08ab2962fa076c66135fe3c5cdfb1f9dd643eb526e4312d7cc11

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
0534dc937cd4f641a7a437447e62561c

SHA1
42f1c8dc25e7370acc93864f370ef6f580e8f07f

SHA256
e404e6308685e16a484f333bf617421707e26f9899281bc75b268e1d80d73e1e

SHA512
2ae34aa7d2f1b70c1b9b89fd457decba315121d0d042e22db01a6659148c8c99ff7bbc68a4dd08ab2962fa076c66135fe3c5cdfb1f9dd643eb526e4312d7cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\3697973640\backup.exe

Filesize
72KB

MD5
e9a384ec5d5c63bad1c7ce4cecbea248

SHA1
86d8b7f2569a1b84badd88cd2274905216c7f895

SHA256
70072039eca54acd2317d023f79787f2db9dff0a6800661078c9e51bb1f4229d

SHA512
1cf5ff91ac35c084ea8214f4d56e88c14ee697c40350c85db6a62291841f63f6b131f91b545a9ddde999c2a94e5b1ad9d6e4824503ffd4cfd1e1059865eaf36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3697973640\backup.exe

Filesize
72KB

MD5
e9a384ec5d5c63bad1c7ce4cecbea248

SHA1
86d8b7f2569a1b84badd88cd2274905216c7f895

SHA256
70072039eca54acd2317d023f79787f2db9dff0a6800661078c9e51bb1f4229d

SHA512
1cf5ff91ac35c084ea8214f4d56e88c14ee697c40350c85db6a62291841f63f6b131f91b545a9ddde999c2a94e5b1ad9d6e4824503ffd4cfd1e1059865eaf36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6c7759bd3014de4e2ce882d03e0a8e22

SHA1
fc92bf99e066cdc0baf23ac760bfcc60d15bb5c4

SHA256
7b4c3c0ebad10686b699cf7054edbdce64a4af9b80e26cf9bbabc6fa009a96c1

SHA512
a671b8491fab27225c51bf3fe6d7dae1f62a222d049a65aaa96dcb570f65acf5aea7f71dc0b428a99ac6b15eeac68f5ef0c1b57ba01d462443aa8be669dd385e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9574d5a16f1ac268ab768aa6b56c9394

SHA1
2160edf3e8cb493862ccdc64b25ddcae1828307a

SHA256
a5301e926fe9be6560138e54c829c4d84db4603e706ad83f7faa55d7d841f6a5

SHA512
27acff0523ba568c946f388b269a264edfa906555035bb33b630f33e6dc2edd89e3b61c7bfbd71af909c93f157f41e7950305eafd4e6f842e3d1d0e6634dad6f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9574d5a16f1ac268ab768aa6b56c9394

SHA1
2160edf3e8cb493862ccdc64b25ddcae1828307a

SHA256
a5301e926fe9be6560138e54c829c4d84db4603e706ad83f7faa55d7d841f6a5

SHA512
27acff0523ba568c946f388b269a264edfa906555035bb33b630f33e6dc2edd89e3b61c7bfbd71af909c93f157f41e7950305eafd4e6f842e3d1d0e6634dad6f

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
31f167e0ff2f7ba195e67eacb592bc9f

SHA1
c9c3eba90c2498ccb01cec98723aa457f46f29c8

SHA256
aee2c04fbab93ca427f1b8287cf2ba0302225ec98f4010a3aa341746225abacc

SHA512
68c7dbc631f649000c6c4c8415bf19e32340bdac7e9f1f9686e0935db710a72efafd6e2ac6bd05cc90a63c6a154bd16c822eb49361fd54e61bbb07ebcb2a60a9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
31f167e0ff2f7ba195e67eacb592bc9f

SHA1
c9c3eba90c2498ccb01cec98723aa457f46f29c8

SHA256
aee2c04fbab93ca427f1b8287cf2ba0302225ec98f4010a3aa341746225abacc

SHA512
68c7dbc631f649000c6c4c8415bf19e32340bdac7e9f1f9686e0935db710a72efafd6e2ac6bd05cc90a63c6a154bd16c822eb49361fd54e61bbb07ebcb2a60a9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
6416ae48abfc4e1f95996b53f51800f3

SHA1
6195cff56d5b7f627fe68a32f596101b32bc84de

SHA256
3dd3ceac8a517300bc6c2f4812723a89bef53051cef5711c82c56cbe9037de43

SHA512
11df4cc10fc9ec55fda234976a84e26391548c733214bca60630f55dd11a5c7e030ac5ec248e442bb88a4bcb8e8b25e3a2598b6492c4c4044841544417301fd2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
6416ae48abfc4e1f95996b53f51800f3

SHA1
6195cff56d5b7f627fe68a32f596101b32bc84de

SHA256
3dd3ceac8a517300bc6c2f4812723a89bef53051cef5711c82c56cbe9037de43

SHA512
11df4cc10fc9ec55fda234976a84e26391548c733214bca60630f55dd11a5c7e030ac5ec248e442bb88a4bcb8e8b25e3a2598b6492c4c4044841544417301fd2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
8049dcc0cf3bacd01255b1ae027e4416

SHA1
f13d6a289a0f7cf001822cbda84c882e5e04e711

SHA256
d2bd48b803e559192ba6de3a9fc784b57271d3fbd43e9356b2d34b271ef9ed0c

SHA512
3635ebe61ed1dfc06437f38800106c8dbe912d91bb5306572604d8134089b70f2590abd896ae2e9719099e5427435eb433d2684ed8e2fab63ba970aafe1bb641

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
14ba71bb82912ccb6f6603c5a1f3685a

SHA1
e41983b867f8f0b5fb42785883d3e9aab07f54de

SHA256
a6e478428414688bf118c5939c52f7c9a4adfb97b62f27939f6867988a2e6c66

SHA512
3c7f8d3fd819ad7b8f144aef7f2f931e8dcd2002df7a8fa1921ddd9a61b8467fe42e1ee10fbf80b087bc443c0be75745fdfed404ce58155901ae5c228b0d93a2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b4f1bf0649234fa17add5eb39d12fd18

SHA1
ad986e03735d19a33a5a976a3cb77dd63ce2f760

SHA256
489a396b6477d6c828c235a972f4efed0eba5e8bdb47fb74422c08019a973048

SHA512
55f7f9626a51908f202a5bf0a78f1bf219c772bd113612fbcaaa17c8883e4ea4b17bff2948a43adc70c750257ede2764bc05ce2784b274cb9a83afad92f9a942

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
0534dc937cd4f641a7a437447e62561c

SHA1
42f1c8dc25e7370acc93864f370ef6f580e8f07f

SHA256
e404e6308685e16a484f333bf617421707e26f9899281bc75b268e1d80d73e1e

SHA512
2ae34aa7d2f1b70c1b9b89fd457decba315121d0d042e22db01a6659148c8c99ff7bbc68a4dd08ab2962fa076c66135fe3c5cdfb1f9dd643eb526e4312d7cc11

Download Submit
\Program Files\System Restore.exe

Filesize
72KB

MD5
0534dc937cd4f641a7a437447e62561c

SHA1
42f1c8dc25e7370acc93864f370ef6f580e8f07f

SHA256
e404e6308685e16a484f333bf617421707e26f9899281bc75b268e1d80d73e1e

SHA512
2ae34aa7d2f1b70c1b9b89fd457decba315121d0d042e22db01a6659148c8c99ff7bbc68a4dd08ab2962fa076c66135fe3c5cdfb1f9dd643eb526e4312d7cc11

Download Submit
\Users\Admin\AppData\Local\Temp\3697973640\backup.exe

Filesize
72KB

MD5
e9a384ec5d5c63bad1c7ce4cecbea248

SHA1
86d8b7f2569a1b84badd88cd2274905216c7f895

SHA256
70072039eca54acd2317d023f79787f2db9dff0a6800661078c9e51bb1f4229d

SHA512
1cf5ff91ac35c084ea8214f4d56e88c14ee697c40350c85db6a62291841f63f6b131f91b545a9ddde999c2a94e5b1ad9d6e4824503ffd4cfd1e1059865eaf36c

Download Submit
\Users\Admin\AppData\Local\Temp\3697973640\backup.exe

Filesize
72KB

MD5
e9a384ec5d5c63bad1c7ce4cecbea248

SHA1
86d8b7f2569a1b84badd88cd2274905216c7f895

SHA256
70072039eca54acd2317d023f79787f2db9dff0a6800661078c9e51bb1f4229d

SHA512
1cf5ff91ac35c084ea8214f4d56e88c14ee697c40350c85db6a62291841f63f6b131f91b545a9ddde999c2a94e5b1ad9d6e4824503ffd4cfd1e1059865eaf36c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6c7759bd3014de4e2ce882d03e0a8e22

SHA1
fc92bf99e066cdc0baf23ac760bfcc60d15bb5c4

SHA256
7b4c3c0ebad10686b699cf7054edbdce64a4af9b80e26cf9bbabc6fa009a96c1

SHA512
a671b8491fab27225c51bf3fe6d7dae1f62a222d049a65aaa96dcb570f65acf5aea7f71dc0b428a99ac6b15eeac68f5ef0c1b57ba01d462443aa8be669dd385e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6c7759bd3014de4e2ce882d03e0a8e22

SHA1
fc92bf99e066cdc0baf23ac760bfcc60d15bb5c4

SHA256
7b4c3c0ebad10686b699cf7054edbdce64a4af9b80e26cf9bbabc6fa009a96c1

SHA512
a671b8491fab27225c51bf3fe6d7dae1f62a222d049a65aaa96dcb570f65acf5aea7f71dc0b428a99ac6b15eeac68f5ef0c1b57ba01d462443aa8be669dd385e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
74bf5e0a117375d7251d3dbd3d40c09e

SHA1
f5acdfe090041705e560cccf65cb1b4d12998197

SHA256
921f8729bda1abbe9e7d4405c35a80d2f7e237141ad0d84004d100aee6eda0e7

SHA512
9fb23db1b72d0fe76b668142fdb3b8a9a40b872bb56a314496b1fff76daa94da2d73d7794cda7fd16c817ab03618fbc7956f9ee23688687c1872cafb89c52ecd

Download Submit
memory/1772-143-0x00000000742D1000-0x00000000742D3000-memory.dmp

Filesize
8KB

Download
memory/1772-111-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads