f1a14f4ec92c1f44078ecd89ca52b1b587582d93afdaef61723ceb0a68aa4b34

Analysis

max time kernel
189s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4797df86194ccfa96a0a439a9ab5af30_exe32.exe
Size

82KB
MD5

4797df86194ccfa96a0a439a9ab5af30
SHA1

909fa7bec22185d8ee7a4518193c4b2d42594608
SHA256

f1a14f4ec92c1f44078ecd89ca52b1b587582d93afdaef61723ceb0a68aa4b34
SHA512

9b1c66826634bcd0956362437e498f6cf7e257b6f9e0056c255058850f6ce8b974ff2f699a4bbf143e6206f8ac1c53b9eefe5e2d30257ef5ff395aa26a08b712
SSDEEP

768:2pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmn:2eT7BVwxfvEFwjRn

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	backup.exe
2776	backup.exe
2792	backup.exe
2676	backup.exe
2508	backup.exe
2556	backup.exe
1944	backup.exe
1116	backup.exe
1100	backup.exe
2396	backup.exe
1972	backup.exe
2860	backup.exe
436	backup.exe
2468	backup.exe
1200	backup.exe
2036	backup.exe
2312	backup.exe
1616	update.exe
1820	backup.exe
700	backup.exe
1412	backup.exe
1496	backup.exe
2160	backup.exe
1000	backup.exe
1884	backup.exe
2176	backup.exe
1488	backup.exe
2580	backup.exe
1456	backup.exe
2696	backup.exe
2632	backup.exe
3060	System Restore.exe
2780	backup.exe
2672	backup.exe
2520	backup.exe
2620	backup.exe
2512	backup.exe
2388	backup.exe
2004	backup.exe
1876	backup.exe
1716	backup.exe
1576	backup.exe
2836	backup.exe
1776	backup.exe
2268	backup.exe
2380	backup.exe
1644	update.exe
2876	backup.exe
2924	backup.exe
2760	data.exe
1256	backup.exe
1448	backup.exe
1220	backup.exe
1788	backup.exe
2928	backup.exe
2900	System Restore.exe
1568	backup.exe
1488	backup.exe
3044	backup.exe
2796	System Restore.exe
1760	backup.exe
1732	System Restore.exe
2592	backup.exe
2572	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
2556	backup.exe
2556	backup.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
1116	backup.exe
1116	backup.exe
2556	backup.exe
2556	backup.exe
1972	backup.exe
1972	backup.exe
2860	backup.exe
2860	backup.exe
1972	backup.exe
1972	backup.exe
2468	backup.exe
2468	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
2312	backup.exe
1616	update.exe
1616	update.exe
1616	update.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
2312	backup.exe
1972	backup.exe
1972	backup.exe
2468	backup.exe
1200	backup.exe
2468	backup.exe
1200	backup.exe
2312	backup.exe
2312	backup.exe
2556	backup.exe
2556	backup.exe
1884	backup.exe
1884	backup.exe
2556	backup.exe
1972	backup.exe
1000	backup.exe
2556	backup.exe
1200	backup.exe
2312	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1072-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1072-3-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000015612-6.dat	upx
behavioral1/files/0x000b000000015612-8.dat	upx
behavioral1/files/0x000b000000015612-10.dat	upx
behavioral1/memory/1072-12-0x0000000000260000-0x000000000027C000-memory.dmp	upx
behavioral1/files/0x000b000000015612-13.dat	upx
behavioral1/memory/2628-14-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c6b-18.dat	upx
behavioral1/files/0x0007000000015c6b-25.dat	upx
behavioral1/files/0x0007000000015c6b-20.dat	upx
behavioral1/files/0x0007000000015c8c-36.dat	upx
behavioral1/files/0x0007000000015c8c-32.dat	upx
behavioral1/memory/2776-30-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c8c-29.dat	upx
behavioral1/files/0x0008000000015c81-46.dat	upx
behavioral1/files/0x0008000000015c81-42.dat	upx
behavioral1/files/0x0008000000015c81-40.dat	upx
behavioral1/files/0x0006000000015e2b-51.dat	upx
behavioral1/memory/2676-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015e2b-59.dat	upx
behavioral1/files/0x0006000000015e2b-54.dat	upx
behavioral1/memory/2628-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000015612-63.dat	upx
behavioral1/memory/2508-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015e6c-69.dat	upx
behavioral1/files/0x000a000000015ca4-73.dat	upx
behavioral1/files/0x000a000000015ca4-77.dat	upx
behavioral1/files/0x000a000000015ca4-81.dat	upx
behavioral1/memory/2792-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ec3-86.dat	upx
behavioral1/files/0x0006000000015ec3-89.dat	upx
behavioral1/files/0x0006000000015ec3-94.dat	upx
behavioral1/files/0x0006000000015e6c-83.dat	upx
behavioral1/memory/1944-99-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001605b-100.dat	upx
behavioral1/files/0x0006000000015ec3-107.dat	upx
behavioral1/files/0x0006000000016279-113.dat	upx
behavioral1/files/0x0006000000016279-120.dat	upx
behavioral1/files/0x0006000000016279-116.dat	upx
behavioral1/files/0x000600000001605b-108.dat	upx
behavioral1/files/0x000600000001605b-103.dat	upx
behavioral1/memory/1100-123-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2396-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016599-134.dat	upx
behavioral1/files/0x0006000000016599-128.dat	upx
behavioral1/memory/2792-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016599-130.dat	upx
behavioral1/memory/1116-127-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2556-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00080000000162e2-141.dat	upx
behavioral1/files/0x0006000000016599-139.dat	upx
behavioral1/files/0x00080000000162e2-144.dat	upx
behavioral1/files/0x00080000000162e2-148.dat	upx
behavioral1/files/0x00080000000162e2-151.dat	upx
behavioral1/files/0x00060000000167ef-153.dat	upx
behavioral1/files/0x00060000000167ef-155.dat	upx
behavioral1/files/0x00060000000167ef-159.dat	upx
behavioral1/memory/436-165-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2860-166-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016ba4-169.dat	upx
behavioral1/files/0x0006000000016ba4-173.dat	upx
behavioral1/files/0x0006000000016ba4-167.dat	upx
behavioral1/memory/1972-174-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\System Restore.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System Restore.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe
2628	backup.exe
2776	backup.exe
2792	backup.exe
2676	backup.exe
2508	backup.exe
2556	backup.exe
1944	backup.exe
1116	backup.exe
1100	backup.exe
2396	backup.exe
1972	backup.exe
2860	backup.exe
436	backup.exe
2468	backup.exe
1200	backup.exe
2036	backup.exe
2312	backup.exe
1616	update.exe
1820	backup.exe
700	backup.exe
1412	backup.exe
1496	backup.exe
2160	backup.exe
2176	backup.exe
1884	backup.exe
2580	backup.exe
1488	backup.exe
1000	backup.exe
1456	backup.exe
2672	backup.exe
2520	backup.exe
2632	backup.exe
2696	backup.exe
2780	backup.exe
2620	backup.exe
2512	backup.exe
2388	backup.exe
1716	backup.exe
1576	backup.exe
1876	backup.exe
2004	backup.exe
2836	backup.exe
1776	backup.exe
2380	backup.exe
2268	backup.exe
1644	update.exe
2876	backup.exe
2924	backup.exe
1448	backup.exe
2760	data.exe
1256	backup.exe
1788	backup.exe
2928	backup.exe
1220	backup.exe
3060	System Restore.exe
3044	backup.exe
2796	System Restore.exe
1760	backup.exe
1732	System Restore.exe
1488	backup.exe
1568	backup.exe
2592	backup.exe
2572	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2628	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	28
PID 1072 wrote to memory of 2628	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	28
PID 1072 wrote to memory of 2628	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	28
PID 1072 wrote to memory of 2628	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	28
PID 1072 wrote to memory of 2776	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	29
PID 1072 wrote to memory of 2776	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	29
PID 1072 wrote to memory of 2776	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	29
PID 1072 wrote to memory of 2776	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	29
PID 1072 wrote to memory of 2792	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	30
PID 1072 wrote to memory of 2792	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	30
PID 1072 wrote to memory of 2792	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	30
PID 1072 wrote to memory of 2792	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	30
PID 1072 wrote to memory of 2676	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	31
PID 1072 wrote to memory of 2676	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	31
PID 1072 wrote to memory of 2676	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	31
PID 1072 wrote to memory of 2676	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	31
PID 1072 wrote to memory of 2508	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	32
PID 1072 wrote to memory of 2508	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	32
PID 1072 wrote to memory of 2508	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	32
PID 1072 wrote to memory of 2508	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	32
PID 2628 wrote to memory of 2556	2628	backup.exe	33
PID 2628 wrote to memory of 2556	2628	backup.exe	33
PID 2628 wrote to memory of 2556	2628	backup.exe	33
PID 2628 wrote to memory of 2556	2628	backup.exe	33
PID 1072 wrote to memory of 1944	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	34
PID 1072 wrote to memory of 1944	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	34
PID 1072 wrote to memory of 1944	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	34
PID 1072 wrote to memory of 1944	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	34
PID 2556 wrote to memory of 1116	2556	backup.exe	35
PID 2556 wrote to memory of 1116	2556	backup.exe	35
PID 2556 wrote to memory of 1116	2556	backup.exe	35
PID 2556 wrote to memory of 1116	2556	backup.exe	35
PID 1072 wrote to memory of 1100	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	36
PID 1072 wrote to memory of 1100	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	36
PID 1072 wrote to memory of 1100	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	36
PID 1072 wrote to memory of 1100	1072	4797df86194ccfa96a0a439a9ab5af30_exe32.exe	36
PID 1116 wrote to memory of 2396	1116	backup.exe	37
PID 1116 wrote to memory of 2396	1116	backup.exe	37
PID 1116 wrote to memory of 2396	1116	backup.exe	37
PID 1116 wrote to memory of 2396	1116	backup.exe	37
PID 2556 wrote to memory of 1972	2556	backup.exe	38
PID 2556 wrote to memory of 1972	2556	backup.exe	38
PID 2556 wrote to memory of 1972	2556	backup.exe	38
PID 2556 wrote to memory of 1972	2556	backup.exe	38
PID 1972 wrote to memory of 2860	1972	backup.exe	39
PID 1972 wrote to memory of 2860	1972	backup.exe	39
PID 1972 wrote to memory of 2860	1972	backup.exe	39
PID 1972 wrote to memory of 2860	1972	backup.exe	39
PID 2860 wrote to memory of 436	2860	backup.exe	40
PID 2860 wrote to memory of 436	2860	backup.exe	40
PID 2860 wrote to memory of 436	2860	backup.exe	40
PID 2860 wrote to memory of 436	2860	backup.exe	40
PID 1972 wrote to memory of 2468	1972	backup.exe	41
PID 1972 wrote to memory of 2468	1972	backup.exe	41
PID 1972 wrote to memory of 2468	1972	backup.exe	41
PID 1972 wrote to memory of 2468	1972	backup.exe	41
PID 2468 wrote to memory of 1200	2468	backup.exe	42
PID 2468 wrote to memory of 1200	2468	backup.exe	42
PID 2468 wrote to memory of 1200	2468	backup.exe	42
PID 2468 wrote to memory of 1200	2468	backup.exe	42
PID 1200 wrote to memory of 2036	1200	backup.exe	43
PID 1200 wrote to memory of 2036	1200	backup.exe	43
PID 1200 wrote to memory of 2036	1200	backup.exe	43
PID 1200 wrote to memory of 2036	1200	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\4797df86194ccfa96a0a439a9ab5af30_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\4797df86194ccfa96a0a439a9ab5af30_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\1626295878\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1626295878\backup.exe C:\Users\Admin\AppData\Local\Temp\1626295878\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2628
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2556
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1116
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2396
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1972
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2860
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:436
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2468
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        
        PID:2864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:2056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2512
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2760
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2356
        
        C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:568
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2388
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\System\ado\en-US\update.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\update.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2392
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2856
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1868
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1680
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2592
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:2112
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2752
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2332
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2940
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1000
      - C:\Program Files\DVD Maker\de-DE\System Restore.exe
        
        "C:\Program Files\DVD Maker\de-DE\System Restore.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
      - C:\Program Files\DVD Maker\en-US\System Restore.exe
        
        "C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2796
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1672
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:524
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2688
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2836
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2660
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2632
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
        
        C:\Program Files\Google\Chrome\Application\update.exe
        
        "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1520
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2500
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2436
    - - C:\Program Files\Internet Explorer\System Restore.exe
        
        "C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2584
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:896
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2212
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1996
      - C:\Program Files\Java\jdk1.7.0_80\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Drops file in Program Files directory
        
        PID:2700
        
        C:\Program Files\Java\jdk1.7.0_80\bin\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\data.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:1108
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:2008
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:364
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2840
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2956
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2896
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2580
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2620
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:3048
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:636
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2772
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1456
      - C:\Program Files (x86)\Common Files\Adobe AIR\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1092
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2344
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2364
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:484
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2160
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1144
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1628
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2768
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1524
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2696
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
      - C:\Users\Admin\Downloads\update.exe
        
        C:\Users\Admin\Downloads\update.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1948
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1576
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3052
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2652
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1784
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2892
      - C:\Users\Admin\Searches\data.exe
        
        C:\Users\Admin\Searches\data.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2116
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2572
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:2168
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2504
        
        C:\Users\Public\Music\Sample Music\data.exe
        
        "C:\Users\Public\Music\Sample Music\data.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:2388
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2284
      - C:\Users\Public\Recorded TV\System Restore.exe
        
        "C:\Users\Public\Recorded TV\System Restore.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:3052
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1224
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      Executes dropped EXE
      System policy modification
      PID:2900
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:584
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:700
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2740
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:1812
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1688
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:948
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2728
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:532
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1896
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
82KB

MD5
ea4626b3846ac878b9d8ffe9a9aed413

SHA1
322cdbf08599de79094599c4ea7409c0a8a58ac1

SHA256
b48565666d90983c8f08f6f5d85d068eb14bf22b3c24864f72cf6342e68d8764

SHA512
33bd1c86f233d2ba15c9bfbb8e0c6c22a009cb76731ca8262b7e79bac48ff850b4bc6f5b4578d9b958fb5635a532320008c474e8dc4cfcf0f8e6dd704cf83581

Download Submit
C:\PerfLogs\backup.exe

Filesize
82KB

MD5
6dd84bad788b3912ce5cfdfe5dee72c2

SHA1
400839424c17c381bc8c242c573d2f7977ef3c96

SHA256
1a670af152012b6de636f48d664855ecf0d4eb25d45e136e13f323fcac4420a1

SHA512
aa1416c0c29c578688655045524b9e04214e613df46aaef1c52ccdb674da2becbb439a032df752464b5e0ccc2da8ed4c9ad1cb8692226019d2a7a9aa6bb3721e

Download Submit
C:\PerfLogs\backup.exe

Filesize
82KB

MD5
6dd84bad788b3912ce5cfdfe5dee72c2

SHA1
400839424c17c381bc8c242c573d2f7977ef3c96

SHA256
1a670af152012b6de636f48d664855ecf0d4eb25d45e136e13f323fcac4420a1

SHA512
aa1416c0c29c578688655045524b9e04214e613df46aaef1c52ccdb674da2becbb439a032df752464b5e0ccc2da8ed4c9ad1cb8692226019d2a7a9aa6bb3721e

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
82KB

MD5
ada77269892df3419d2127f19fb27096

SHA1
8d35fdad18e3313047c5d805f7b12cb65010c71c

SHA256
54d07d22b1163b060e0825bcf60641a2d0d6f64aaebbbb8be9610e8bc2dae752

SHA512
3c624b4d7a1a37db199d5fbf4576b319071323232a5cf78cb57791d29ec041ec5e7b65a0e7d8057422af2981cd9ededef145df3186e200f3328f37b94f46c525

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
82KB

MD5
8c4eb72bda8fc411b9c0c08ddb4f4bb9

SHA1
1cb52ede031dd038f94e2155da2bc3ca5ee114a7

SHA256
d6082b4c41e03d62294fc4e4d57e8c349f9919457a6ac45f1435d487b1bd8c0f

SHA512
9215182598e16e7f2d6cf6dff6df2e052b70fa1ecd8ae35cce43e09092ae72889383189a0830c88b67a2739a9f7cbe3a6b3e080edc566695715bf729abd8e8a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
82KB

MD5
8c4eb72bda8fc411b9c0c08ddb4f4bb9

SHA1
1cb52ede031dd038f94e2155da2bc3ca5ee114a7

SHA256
d6082b4c41e03d62294fc4e4d57e8c349f9919457a6ac45f1435d487b1bd8c0f

SHA512
9215182598e16e7f2d6cf6dff6df2e052b70fa1ecd8ae35cce43e09092ae72889383189a0830c88b67a2739a9f7cbe3a6b3e080edc566695715bf729abd8e8a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
C:\Program Files\backup.exe

Filesize
82KB

MD5
e567ee47bbd63f07661daf94633b162e

SHA1
1f32d10925db43a2b8563f93d26942ec312a2325

SHA256
8c62e4e47bf13da58bca16872defb0f5dce78be4da1b2a159d12e299cb40db83

SHA512
99091ff01bf4383c24ea65f02b6132e2e4f3c83642bc5e809e13374224fe6b506bfa4c024368314f14955275a4f2f48dd247959e1196454af49d4fec15fdc4fd

Download Submit
C:\Program Files\backup.exe

Filesize
82KB

MD5
e567ee47bbd63f07661daf94633b162e

SHA1
1f32d10925db43a2b8563f93d26942ec312a2325

SHA256
8c62e4e47bf13da58bca16872defb0f5dce78be4da1b2a159d12e299cb40db83

SHA512
99091ff01bf4383c24ea65f02b6132e2e4f3c83642bc5e809e13374224fe6b506bfa4c024368314f14955275a4f2f48dd247959e1196454af49d4fec15fdc4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1626295878\backup.exe

Filesize
82KB

MD5
8f414e2959c0614ee905123a7586b3c9

SHA1
ebac00ddbc8a9192f9aebdde4364d5aa41cb5114

SHA256
43cc54a9816e8050292096ccfa43e340f0556d021a7dafadbf6c024ce71636d4

SHA512
f11f8799f01102a2c940c4fd6bce8d9eb252568926351792782b6a8c306528b9e5621b4f643f4f507cce5ee8e342e0c5f5404695d552d6acb6954c83358c0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1626295878\backup.exe

Filesize
82KB

MD5
8f414e2959c0614ee905123a7586b3c9

SHA1
ebac00ddbc8a9192f9aebdde4364d5aa41cb5114

SHA256
43cc54a9816e8050292096ccfa43e340f0556d021a7dafadbf6c024ce71636d4

SHA512
f11f8799f01102a2c940c4fd6bce8d9eb252568926351792782b6a8c306528b9e5621b4f643f4f507cce5ee8e342e0c5f5404695d552d6acb6954c83358c0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1626295878\backup.exe

Filesize
82KB

MD5
8f414e2959c0614ee905123a7586b3c9

SHA1
ebac00ddbc8a9192f9aebdde4364d5aa41cb5114

SHA256
43cc54a9816e8050292096ccfa43e340f0556d021a7dafadbf6c024ce71636d4

SHA512
f11f8799f01102a2c940c4fd6bce8d9eb252568926351792782b6a8c306528b9e5621b4f643f4f507cce5ee8e342e0c5f5404695d552d6acb6954c83358c0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
82KB

MD5
c1321b1f90c4787204c0a38adc61ffaa

SHA1
b5a6b4d958db8232e9902fb5252a6f8779b3ee9e

SHA256
551e14c998d46fa8e129eb71ac669ef4c0ec6b7cc2ad641204d90a3abeddf734

SHA512
9eeeb426d18baa278c688cc2d45f0bb1459fac538f7e20024fa3edc0d9424579c98bc3d1220c5fb33739c34e96b6c6d5b387de360eb489a447bfd0f6467fcb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
82KB

MD5
f792e8eb782456fe1f00c70a0d7dea0b

SHA1
5bb7815952af0ec45fd737de424acc0bd839444d

SHA256
872b916165e2d686c2f70a025964a1b42cfeaf8b311dc58b13d6835d1a6ff84a

SHA512
4b7041001af17c0050ad5a2f3df236b865df0324f4b1ee4239bd346077b45ad1b1a194e5698ec264e6d328f3c1de8765607fb9cb9bb28aab7d7e878100500daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
3691299d7e8b3e22cad2909fe08bd81e

SHA1
e2a70b94ec5c779628f45d4bb76b7eb3707efefd

SHA256
af263d15fb6f7434714aa36f39ce44ef2cc563f7f1f73a6e93d306c6ee84fe80

SHA512
5c670060d2945b5e457490767db9ad953400a97ceffca409f34e6291e17775ec1f01a70c3ca57564313c3fa03729658e0fbb607f5080b433903386ebc21968b8

Download Submit
C:\backup.exe

Filesize
82KB

MD5
7e3db82e66067ed3b48ecc4f3ee29eaa

SHA1
6e7e6509b99c93b6d167cc4a49314a71ceb4129b

SHA256
2630ccbd6853d3ec5ed8801be4717d2a29f0799f211d6c9d13f4c280a74ccada

SHA512
c284a73983fe97336a0a72566ea9a9f7578c02bc65841c1915223690930983240d158866ad6dcd288c4184f6e83606ffce1c9c4a0e2f55cfa70b346323ebd08d

Download Submit
C:\backup.exe

Filesize
82KB

MD5
7e3db82e66067ed3b48ecc4f3ee29eaa

SHA1
6e7e6509b99c93b6d167cc4a49314a71ceb4129b

SHA256
2630ccbd6853d3ec5ed8801be4717d2a29f0799f211d6c9d13f4c280a74ccada

SHA512
c284a73983fe97336a0a72566ea9a9f7578c02bc65841c1915223690930983240d158866ad6dcd288c4184f6e83606ffce1c9c4a0e2f55cfa70b346323ebd08d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
82KB

MD5
ea4626b3846ac878b9d8ffe9a9aed413

SHA1
322cdbf08599de79094599c4ea7409c0a8a58ac1

SHA256
b48565666d90983c8f08f6f5d85d068eb14bf22b3c24864f72cf6342e68d8764

SHA512
33bd1c86f233d2ba15c9bfbb8e0c6c22a009cb76731ca8262b7e79bac48ff850b4bc6f5b4578d9b958fb5635a532320008c474e8dc4cfcf0f8e6dd704cf83581

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
82KB

MD5
ea4626b3846ac878b9d8ffe9a9aed413

SHA1
322cdbf08599de79094599c4ea7409c0a8a58ac1

SHA256
b48565666d90983c8f08f6f5d85d068eb14bf22b3c24864f72cf6342e68d8764

SHA512
33bd1c86f233d2ba15c9bfbb8e0c6c22a009cb76731ca8262b7e79bac48ff850b4bc6f5b4578d9b958fb5635a532320008c474e8dc4cfcf0f8e6dd704cf83581

Download Submit
\PerfLogs\backup.exe

Filesize
82KB

MD5
6dd84bad788b3912ce5cfdfe5dee72c2

SHA1
400839424c17c381bc8c242c573d2f7977ef3c96

SHA256
1a670af152012b6de636f48d664855ecf0d4eb25d45e136e13f323fcac4420a1

SHA512
aa1416c0c29c578688655045524b9e04214e613df46aaef1c52ccdb674da2becbb439a032df752464b5e0ccc2da8ed4c9ad1cb8692226019d2a7a9aa6bb3721e

Download Submit
\PerfLogs\backup.exe

Filesize
82KB

MD5
6dd84bad788b3912ce5cfdfe5dee72c2

SHA1
400839424c17c381bc8c242c573d2f7977ef3c96

SHA256
1a670af152012b6de636f48d664855ecf0d4eb25d45e136e13f323fcac4420a1

SHA512
aa1416c0c29c578688655045524b9e04214e613df46aaef1c52ccdb674da2becbb439a032df752464b5e0ccc2da8ed4c9ad1cb8692226019d2a7a9aa6bb3721e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
82KB

MD5
ada77269892df3419d2127f19fb27096

SHA1
8d35fdad18e3313047c5d805f7b12cb65010c71c

SHA256
54d07d22b1163b060e0825bcf60641a2d0d6f64aaebbbb8be9610e8bc2dae752

SHA512
3c624b4d7a1a37db199d5fbf4576b319071323232a5cf78cb57791d29ec041ec5e7b65a0e7d8057422af2981cd9ededef145df3186e200f3328f37b94f46c525

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
82KB

MD5
ada77269892df3419d2127f19fb27096

SHA1
8d35fdad18e3313047c5d805f7b12cb65010c71c

SHA256
54d07d22b1163b060e0825bcf60641a2d0d6f64aaebbbb8be9610e8bc2dae752

SHA512
3c624b4d7a1a37db199d5fbf4576b319071323232a5cf78cb57791d29ec041ec5e7b65a0e7d8057422af2981cd9ededef145df3186e200f3328f37b94f46c525

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
82KB

MD5
8c4eb72bda8fc411b9c0c08ddb4f4bb9

SHA1
1cb52ede031dd038f94e2155da2bc3ca5ee114a7

SHA256
d6082b4c41e03d62294fc4e4d57e8c349f9919457a6ac45f1435d487b1bd8c0f

SHA512
9215182598e16e7f2d6cf6dff6df2e052b70fa1ecd8ae35cce43e09092ae72889383189a0830c88b67a2739a9f7cbe3a6b3e080edc566695715bf729abd8e8a2

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
82KB

MD5
8c4eb72bda8fc411b9c0c08ddb4f4bb9

SHA1
1cb52ede031dd038f94e2155da2bc3ca5ee114a7

SHA256
d6082b4c41e03d62294fc4e4d57e8c349f9919457a6ac45f1435d487b1bd8c0f

SHA512
9215182598e16e7f2d6cf6dff6df2e052b70fa1ecd8ae35cce43e09092ae72889383189a0830c88b67a2739a9f7cbe3a6b3e080edc566695715bf729abd8e8a2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
82KB

MD5
a4e3351dfdd524418b3ed6be92723257

SHA1
cfb11abc6bc9d467d7192a56bc5a1969ea8cfe84

SHA256
fcee13a4a03058a00939fe43d2c0e179997cd1a6a4a02f7608a3e9b312ea74fd

SHA512
2653f2cbc5bb749f11d4030aed0af0d5dedd1372e4abaf616fc49e16f3841825bf13d1a3569b400394b7608294d5b517c0cf1e3bbccb48fbbca5581262776001

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
82KB

MD5
bbe890bbaec90c334ff4446ae2c11f18

SHA1
5d13f26c6a056decfa5b1b8bd030e4d0586f5f10

SHA256
d40203438e056410f3c9880f93dad503cc8b178c406a2e0c2419eb7eaa514ad1

SHA512
95f0b5567ce42c52817dc55b6b506b512bed660fbfaa70b4575c6f4c3c3c8b088c0f4f7d21cfc66aceeb6c8f4d1e0ead56e24b279f8c0824a9a9dba556a94506

Download Submit
\Program Files\Common Files\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
\Program Files\Common Files\backup.exe

Filesize
82KB

MD5
6ebd83365e64fd1e5647126b04ac2cf1

SHA1
5f7119068e63a31f603ec9b228fee6e79af0bb09

SHA256
77f4beafca3dabbbdd74e700f1c033135331297a6317329b7e2a1c54e5f7c18e

SHA512
6cf6dd58910673dd3364c30464cf1ecde412f094bea26e1880d1494422ee374f3478622e436db980e51ab0efe85a06dcdba3a6aa9f575707940283980641b4d6

Download Submit
\Program Files\backup.exe

Filesize
82KB

MD5
e567ee47bbd63f07661daf94633b162e

SHA1
1f32d10925db43a2b8563f93d26942ec312a2325

SHA256
8c62e4e47bf13da58bca16872defb0f5dce78be4da1b2a159d12e299cb40db83

SHA512
99091ff01bf4383c24ea65f02b6132e2e4f3c83642bc5e809e13374224fe6b506bfa4c024368314f14955275a4f2f48dd247959e1196454af49d4fec15fdc4fd

Download Submit
\Program Files\backup.exe

Filesize
82KB

MD5
e567ee47bbd63f07661daf94633b162e

SHA1
1f32d10925db43a2b8563f93d26942ec312a2325

SHA256
8c62e4e47bf13da58bca16872defb0f5dce78be4da1b2a159d12e299cb40db83

SHA512
99091ff01bf4383c24ea65f02b6132e2e4f3c83642bc5e809e13374224fe6b506bfa4c024368314f14955275a4f2f48dd247959e1196454af49d4fec15fdc4fd

Download Submit
\Users\Admin\AppData\Local\Temp\1626295878\backup.exe

Filesize
82KB

MD5
8f414e2959c0614ee905123a7586b3c9

SHA1
ebac00ddbc8a9192f9aebdde4364d5aa41cb5114

SHA256
43cc54a9816e8050292096ccfa43e340f0556d021a7dafadbf6c024ce71636d4

SHA512
f11f8799f01102a2c940c4fd6bce8d9eb252568926351792782b6a8c306528b9e5621b4f643f4f507cce5ee8e342e0c5f5404695d552d6acb6954c83358c0d25

Download Submit
\Users\Admin\AppData\Local\Temp\1626295878\backup.exe

Filesize
82KB

MD5
8f414e2959c0614ee905123a7586b3c9

SHA1
ebac00ddbc8a9192f9aebdde4364d5aa41cb5114

SHA256
43cc54a9816e8050292096ccfa43e340f0556d021a7dafadbf6c024ce71636d4

SHA512
f11f8799f01102a2c940c4fd6bce8d9eb252568926351792782b6a8c306528b9e5621b4f643f4f507cce5ee8e342e0c5f5404695d552d6acb6954c83358c0d25

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
82KB

MD5
c1321b1f90c4787204c0a38adc61ffaa

SHA1
b5a6b4d958db8232e9902fb5252a6f8779b3ee9e

SHA256
551e14c998d46fa8e129eb71ac669ef4c0ec6b7cc2ad641204d90a3abeddf734

SHA512
9eeeb426d18baa278c688cc2d45f0bb1459fac538f7e20024fa3edc0d9424579c98bc3d1220c5fb33739c34e96b6c6d5b387de360eb489a447bfd0f6467fcb8e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
82KB

MD5
c1321b1f90c4787204c0a38adc61ffaa

SHA1
b5a6b4d958db8232e9902fb5252a6f8779b3ee9e

SHA256
551e14c998d46fa8e129eb71ac669ef4c0ec6b7cc2ad641204d90a3abeddf734

SHA512
9eeeb426d18baa278c688cc2d45f0bb1459fac538f7e20024fa3edc0d9424579c98bc3d1220c5fb33739c34e96b6c6d5b387de360eb489a447bfd0f6467fcb8e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
82KB

MD5
2c80a60a226a21327978d31362054221

SHA1
0d9b7b95f54e014917ddb33dc410d099026504a7

SHA256
ea48246f856a9f1a912508f9378ba9845a69aeba7ca49b42ebd29d8baab8aaaa

SHA512
ced198a09f534f762b1df1f178fc07d6d48cd9ec88936744a95b5aff052f0dd8dc4750321b387b09e36bfd0caebd23ead047032d6a4101082b160f20176ea967

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
82KB

MD5
f792e8eb782456fe1f00c70a0d7dea0b

SHA1
5bb7815952af0ec45fd737de424acc0bd839444d

SHA256
872b916165e2d686c2f70a025964a1b42cfeaf8b311dc58b13d6835d1a6ff84a

SHA512
4b7041001af17c0050ad5a2f3df236b865df0324f4b1ee4239bd346077b45ad1b1a194e5698ec264e6d328f3c1de8765607fb9cb9bb28aab7d7e878100500daf

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
82KB

MD5
f792e8eb782456fe1f00c70a0d7dea0b

SHA1
5bb7815952af0ec45fd737de424acc0bd839444d

SHA256
872b916165e2d686c2f70a025964a1b42cfeaf8b311dc58b13d6835d1a6ff84a

SHA512
4b7041001af17c0050ad5a2f3df236b865df0324f4b1ee4239bd346077b45ad1b1a194e5698ec264e6d328f3c1de8765607fb9cb9bb28aab7d7e878100500daf

Download Submit
memory/436-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/700-257-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1000-349-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1072-47-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1072-110-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-58-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-12-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-175-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1072-228-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1072-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1072-294-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1072-93-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-24-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-101-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1072-84-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1100-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1116-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1116-115-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1200-234-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1200-335-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1200-333-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1200-317-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1200-310-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1200-253-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1412-267-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1488-346-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1496-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1616-241-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1820-248-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-344-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1944-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1972-219-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/1972-174-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2160-297-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2160-290-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2176-345-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2176-353-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2312-342-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2312-271-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2312-287-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2312-262-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2396-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2468-334-0x0000000001BC0000-0x0000000001BDC000-memory.dmp

Filesize
112KB

Download
memory/2468-315-0x0000000001BC0000-0x0000000001BDC000-memory.dmp

Filesize
112KB

Download
memory/2468-221-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2468-341-0x0000000001BC0000-0x0000000001BDC000-memory.dmp

Filesize
112KB

Download
memory/2508-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-323-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2556-347-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2556-350-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2556-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-135-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2556-324-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2556-95-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2580-348-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2676-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2792-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2792-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2860-166-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads