9867244e307ae75f9cdb98c48847d99e52de63740aec7c478dcddd1645cce9dd

Analysis

max time kernel
17s
max time network
131s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
Size

176KB
MD5

8e058f8dac340df491a9f1a68741c7a0
SHA1

52804ceca2350a54e90c6036a343679a25783d8b
SHA256

9867244e307ae75f9cdb98c48847d99e52de63740aec7c478dcddd1645cce9dd
SHA512

6361b4f6645628dfa7a907b9e9559f918c3f37ded4fab6abfcdaca223810344d603fe3ea7209297f8bd9b6c880346e97d6c2a55bf5d9abab475b8f67505b5478
SSDEEP

3072:qu8ANCrkvPb3NyS7zPvPb35vPb34QpNBBz8fQ8bQ+gnUpEprf5sCzDPvPb3NyS7A:TvNNycZpNBB38b3Eprf59zlyclDpNBBa

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 33 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 34 IoCs

pid	Process
2436	backup.exe
2644	backup.exe
2660	backup.exe
2548	backup.exe
2568	backup.exe
2556	backup.exe
2004	update.exe
2492	backup.exe
2408	backup.exe
1756	backup.exe
1672	backup.exe
580	backup.exe
948	backup.exe
2956	backup.exe
1472	backup.exe
1548	backup.exe
1176	update.exe
1644	data.exe
1184	backup.exe
2960	backup.exe
852	backup.exe
892	backup.exe
840	backup.exe
2696	backup.exe
2744	System Restore.exe
2924	backup.exe
2700	backup.exe
2524	backup.exe
2684	System Restore.exe
2556	backup.exe
2896	backup.exe
3012	backup.exe
1128	backup.exe
1204	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2004	update.exe
2004	update.exe
2408	backup.exe
2408	backup.exe
2408	backup.exe
2408	backup.exe
2408	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
2004	update.exe
2004	update.exe
1672	backup.exe
1672	backup.exe
1672	backup.exe
1672	backup.exe
1672	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
580	backup.exe
948	backup.exe
948	backup.exe
948	backup.exe
1672	backup.exe
1672	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
2956	backup.exe
1472	backup.exe
1472	backup.exe
1472	backup.exe
1472	backup.exe
1472	backup.exe
1548	backup.exe
1548	backup.exe
1548	backup.exe
1472	backup.exe
1176	update.exe
1176	update.exe
1176	update.exe
1176	update.exe
1176	update.exe
1644	data.exe
1644	data.exe
1644	data.exe
1176	update.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-0-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x000f000000015c00-5.dat	upx
behavioral1/files/0x000f000000015c00-7.dat	upx
behavioral1/files/0x000f000000015c00-9.dat	upx
behavioral1/files/0x000f000000015c00-11.dat	upx
behavioral1/files/0x0008000000015c23-15.dat	upx
behavioral1/files/0x0008000000015c23-17.dat	upx
behavioral1/files/0x0008000000015c23-22.dat	upx
behavioral1/memory/2644-23-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2644-30-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0007000000015c54-28.dat	upx
behavioral1/files/0x0007000000015c54-31.dat	upx
behavioral1/files/0x0007000000015c54-35.dat	upx
behavioral1/files/0x0008000000015c4c-41.dat	upx
behavioral1/memory/2596-45-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0008000000015c4c-39.dat	upx
behavioral1/files/0x0008000000015c4c-46.dat	upx
behavioral1/memory/2548-53-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0009000000015c9d-59.dat	upx
behavioral1/memory/2436-58-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0009000000015c9d-54.dat	upx
behavioral1/files/0x0009000000015c9d-51.dat	upx
behavioral1/files/0x0008000000015c5c-67.dat	upx
behavioral1/files/0x0008000000015c5c-71.dat	upx
behavioral1/memory/2568-66-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0008000000015c5c-64.dat	upx
behavioral1/files/0x000f000000015c00-74.dat	upx
behavioral1/memory/2436-79-0x0000000001D50000-0x0000000001D92000-memory.dmp	upx
behavioral1/memory/2556-81-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2660-82-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015ce7-80.dat	upx
behavioral1/memory/2596-83-0x00000000025C0000-0x0000000002602000-memory.dmp	upx
behavioral1/files/0x0006000000015ce7-85.dat	upx
behavioral1/files/0x0006000000015cc6-90.dat	upx
behavioral1/files/0x0006000000015cc6-92.dat	upx
behavioral1/memory/2596-93-0x00000000025C0000-0x0000000002602000-memory.dmp	upx
behavioral1/files/0x0006000000015ce7-91.dat	upx
behavioral1/memory/2492-99-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015db7-113.dat	upx
behavioral1/files/0x0006000000015db7-112.dat	upx
behavioral1/files/0x0006000000015db7-111.dat	upx
behavioral1/files/0x0006000000015db7-110.dat	upx
behavioral1/files/0x0006000000015db7-109.dat	upx
behavioral1/files/0x0006000000015db7-105.dat	upx
behavioral1/files/0x0006000000015db7-103.dat	upx
behavioral1/memory/2408-114-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015ea9-119.dat	upx
behavioral1/files/0x0006000000015ea9-127.dat	upx
behavioral1/files/0x0006000000015ea9-130.dat	upx
behavioral1/memory/2436-131-0x0000000001D50000-0x0000000001D92000-memory.dmp	upx
behavioral1/memory/1756-133-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015ea9-129.dat	upx
behavioral1/memory/2660-136-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015ea9-128.dat	upx
behavioral1/files/0x0006000000015ea9-126.dat	upx
behavioral1/files/0x0006000000015ea9-121.dat	upx
behavioral1/files/0x0006000000015fea-147.dat	upx
behavioral1/files/0x0006000000015fea-153.dat	upx
behavioral1/memory/2004-154-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0006000000015fea-152.dat	upx
behavioral1/files/0x0006000000015fea-151.dat	upx
behavioral1/files/0x0006000000015fea-150.dat	upx
behavioral1/files/0x0007000000015f10-162.dat	upx
behavioral1/files/0x0007000000015f10-168.dat	upx

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
2436	backup.exe
2644	backup.exe
2660	backup.exe
2548	backup.exe
2568	backup.exe
2556	backup.exe
2492	backup.exe
2004	update.exe
2408	backup.exe
1756	backup.exe
1672	backup.exe
580	backup.exe
948	backup.exe
2956	backup.exe
1472	backup.exe
1548	backup.exe
1176	update.exe
1644	data.exe
1184	backup.exe
2960	backup.exe
852	backup.exe
892	backup.exe
840	backup.exe
2696	backup.exe
2744	System Restore.exe
2924	backup.exe
2700	backup.exe
2524	backup.exe
2684	System Restore.exe
2556	backup.exe
2896	backup.exe
3012	backup.exe
1128	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2436	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	28
PID 2596 wrote to memory of 2436	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	28
PID 2596 wrote to memory of 2436	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	28
PID 2596 wrote to memory of 2436	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	28
PID 2596 wrote to memory of 2644	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	29
PID 2596 wrote to memory of 2644	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	29
PID 2596 wrote to memory of 2644	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	29
PID 2596 wrote to memory of 2644	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	29
PID 2596 wrote to memory of 2660	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	30
PID 2596 wrote to memory of 2660	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	30
PID 2596 wrote to memory of 2660	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	30
PID 2596 wrote to memory of 2660	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	30
PID 2596 wrote to memory of 2548	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	31
PID 2596 wrote to memory of 2548	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	31
PID 2596 wrote to memory of 2548	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	31
PID 2596 wrote to memory of 2548	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	31
PID 2596 wrote to memory of 2568	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	32
PID 2596 wrote to memory of 2568	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	32
PID 2596 wrote to memory of 2568	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	32
PID 2596 wrote to memory of 2568	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	32
PID 2596 wrote to memory of 2556	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	33
PID 2596 wrote to memory of 2556	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	33
PID 2596 wrote to memory of 2556	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	33
PID 2596 wrote to memory of 2556	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	33
PID 2596 wrote to memory of 2492	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	35
PID 2596 wrote to memory of 2492	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	35
PID 2596 wrote to memory of 2492	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	35
PID 2596 wrote to memory of 2492	2596	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe	35
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2436 wrote to memory of 2004	2436	backup.exe	34
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2004 wrote to memory of 2408	2004	update.exe	36
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2408 wrote to memory of 1756	2408	backup.exe	37
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 2004 wrote to memory of 1672	2004	update.exe	38
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 1672 wrote to memory of 580	1672	backup.exe	39
PID 580 wrote to memory of 948	580	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.8e058f8dac340df491a9f1a68741c7a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8e058f8dac340df491a9f1a68741c7a0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596
- C:\Users\Admin\AppData\Local\Temp\4029383487\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4029383487\backup.exe C:\Users\Admin\AppData\Local\Temp\4029383487\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2436
- - C:\update.exe
    \update.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2004
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2408
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1672
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:580
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2956
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:3036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:2536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:3048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2324
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2848
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2616
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2372
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2200
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1004
      - C:\Program Files\Common Files\Services\System Restore.exe
        
        "C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1984
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2340
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:880
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1620
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:1100
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2168
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2748
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1384
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2052
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2248
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2756
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1908
    - - C:\Program Files\Google\System Restore.exe
        
        "C:\Program Files\Google\System Restore.exe" C:\Program Files\Google\
        5⤵
        
        PID:2804
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1664
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:340
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2944
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1524
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2252
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2900
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2060
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:980
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1492
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:936
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1944
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2704
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2580
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:796
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:464
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1192
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2520
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:960
      - C:\Program Files (x86)\Google\CrashReports\update.exe
        
        "C:\Program Files (x86)\Google\CrashReports\update.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2144
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:952
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2660
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:580
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1052
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2080
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2396
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:576
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1084
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2544
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2960
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2524
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2452
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2084
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2276
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1380
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1536
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2940
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1064
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1252
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2556
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2864
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1196
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2648
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:672
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2236
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
e410367b8891da442089d052ccfe5df9

SHA1
40046bc4e713c691bbb859503bf2e078b6bf4752

SHA256
6e9376757e33dcc9ae6dd6671e740fdfb956a5c130527663169eb4b9d871ee26

SHA512
db07201ca30ae7db69ca6175982948eaa1e79dfba1e1f11775d26ae2accbebd3b0f91e53c073041dc1037b6bd17ad380dcee95672a255306f750c072d42889d5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
e410367b8891da442089d052ccfe5df9

SHA1
40046bc4e713c691bbb859503bf2e078b6bf4752

SHA256
6e9376757e33dcc9ae6dd6671e740fdfb956a5c130527663169eb4b9d871ee26

SHA512
db07201ca30ae7db69ca6175982948eaa1e79dfba1e1f11775d26ae2accbebd3b0f91e53c073041dc1037b6bd17ad380dcee95672a255306f750c072d42889d5

Download Submit
C:\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
C:\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\4029383487\backup.exe

Filesize
176KB

MD5
f484ae89ae6590fb7d07135c75931391

SHA1
98098d2609b04a0d34643e08859e880616695b6f

SHA256
8024151482a42f9c418466d408f8812c06be48e950784ba072475ad9aa36a2e2

SHA512
7ca285a4fa387704e2278b7af263351bdaaf84abfbfc90c08f85cc7815174a427dbe0954a57f6ed50b0498b731ca36b2d36c82ad985348feb32a3d10400cae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\4029383487\backup.exe

Filesize
176KB

MD5
f484ae89ae6590fb7d07135c75931391

SHA1
98098d2609b04a0d34643e08859e880616695b6f

SHA256
8024151482a42f9c418466d408f8812c06be48e950784ba072475ad9aa36a2e2

SHA512
7ca285a4fa387704e2278b7af263351bdaaf84abfbfc90c08f85cc7815174a427dbe0954a57f6ed50b0498b731ca36b2d36c82ad985348feb32a3d10400cae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\4029383487\backup.exe

Filesize
176KB

MD5
f484ae89ae6590fb7d07135c75931391

SHA1
98098d2609b04a0d34643e08859e880616695b6f

SHA256
8024151482a42f9c418466d408f8812c06be48e950784ba072475ad9aa36a2e2

SHA512
7ca285a4fa387704e2278b7af263351bdaaf84abfbfc90c08f85cc7815174a427dbe0954a57f6ed50b0498b731ca36b2d36c82ad985348feb32a3d10400cae10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
6972f99b83ddcb7f93627d8d2acae66c

SHA1
e0e065a2e3866712f06d23f77f48720ec726122c

SHA256
ae77820790610ecf8a4c0881e64437b145ee57f445d63da302f655ad9e4614b8

SHA512
0a5fe089eb3bab9bb82fd94af272746b410a0ce898ffc4ae56a4bcddd71be4642f4c5cee11085ff76acfd37141795799a163a1a86d9c52537444aebdf095aea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
62KB

MD5
b4be23c594d5bfb27b41755e349241fa

SHA1
8e2163e3c016f4212cb762ba80656ed78deeb3a0

SHA256
86957f982f9b54e038ad0ff429bdef7b84f22879c5dc3ce07118bec0ec483dd8

SHA512
5bb5853867cf60b13ee1d9795a8d2e8da6d2a2728893c898b0761778819e6575b26ec37b6ce906140d1607b0ef84deca208455431f594bc4bf08bd7d49d177f7

Download Submit
C:\update.exe

Filesize
176KB

MD5
a685acb7128656fcea9c2300e4b20db7

SHA1
bc4df0b78dcba8e8039c2843432e2a1c77decb3f

SHA256
ae38ea17937709cc7db841b9d5692094680dc98ddd4b8584a7f08b23ea43c1e7

SHA512
45bb218b2b359ffcf8fe5504e250ed1f5ef7c959b8a15a58f46df6b11b2c7c12e6c8d9f7225dbb523f958beeb363625640adfe167be9e4f30aed08ce21e33b12

Download Submit
C:\update.exe

Filesize
176KB

MD5
a685acb7128656fcea9c2300e4b20db7

SHA1
bc4df0b78dcba8e8039c2843432e2a1c77decb3f

SHA256
ae38ea17937709cc7db841b9d5692094680dc98ddd4b8584a7f08b23ea43c1e7

SHA512
45bb218b2b359ffcf8fe5504e250ed1f5ef7c959b8a15a58f46df6b11b2c7c12e6c8d9f7225dbb523f958beeb363625640adfe167be9e4f30aed08ce21e33b12

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
176KB

MD5
8993b1eb6ea9c23598b118d8a786a0b4

SHA1
427b7af447a53af9af75a015c51b4c4831f1864b

SHA256
e3e57e8e7cb8be626def66b759975278ddfec5c7ba65dd01208f7d7b7dcae790

SHA512
47a8d6095ccff36a1cf605b7856e06a202935ca8c568dbccf4668495f3b78d67cef117d7be73b16315d3c38f71fd5b62d235ac9705ccff521aced87632e0aa37

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
137c25aa21ed6d91ad1bf5115a03bc17

SHA1
3a78ce4fb9c98e4b8a9b1db20962a4b19de0442d

SHA256
24ab49f5b81758e93e8041ff457cf9a6c882155617a25c2bd2ad6346ea4dd481

SHA512
b14a4c5d2541d9fa4158283970f129f013cbd7f8424cac8320931efa30cb16e758059aa4c595d9ded87f0ca1c3f1a5d23c124b66de327d8176760e6d29208d5c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
bb0f8131b0fbb04364e2b272400b1700

SHA1
ea0a4af9436bcc7d5281a22284d8914f53c232cc

SHA256
2b6ed8f2a16bc7319599336499ad265fa3ea1c39664c50bc5c5b9ae7e6d018a3

SHA512
ec806ea46aa353f04eadcff0afa1e821b05250ce9546faf74659a77b607af9c55bf5fa3d2da2de14ddf5cd83c6710ee2a770e3167f432b4f1258fa46ccb910b9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
43c3806830098eeb5108a145ba0c1c73

SHA1
4ba09cd601d18606b9141fc89dc2f9466824a162

SHA256
d2e568dd15800e38ce4a37e99b92e9aa38e31596e684065cbc2a367be320c2a2

SHA512
70c4c8e837952540b8c4785962579363de2f2774a9dcbe4e1ed19bd4b8726880fecce644e0ae50e48a557124d5ea70c16d028a8abc3e00976de39481ea22089a

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
e410367b8891da442089d052ccfe5df9

SHA1
40046bc4e713c691bbb859503bf2e078b6bf4752

SHA256
6e9376757e33dcc9ae6dd6671e740fdfb956a5c130527663169eb4b9d871ee26

SHA512
db07201ca30ae7db69ca6175982948eaa1e79dfba1e1f11775d26ae2accbebd3b0f91e53c073041dc1037b6bd17ad380dcee95672a255306f750c072d42889d5

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
e410367b8891da442089d052ccfe5df9

SHA1
40046bc4e713c691bbb859503bf2e078b6bf4752

SHA256
6e9376757e33dcc9ae6dd6671e740fdfb956a5c130527663169eb4b9d871ee26

SHA512
db07201ca30ae7db69ca6175982948eaa1e79dfba1e1f11775d26ae2accbebd3b0f91e53c073041dc1037b6bd17ad380dcee95672a255306f750c072d42889d5

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
e410367b8891da442089d052ccfe5df9

SHA1
40046bc4e713c691bbb859503bf2e078b6bf4752

SHA256
6e9376757e33dcc9ae6dd6671e740fdfb956a5c130527663169eb4b9d871ee26

SHA512
db07201ca30ae7db69ca6175982948eaa1e79dfba1e1f11775d26ae2accbebd3b0f91e53c073041dc1037b6bd17ad380dcee95672a255306f750c072d42889d5

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
\Program Files\backup.exe

Filesize
176KB

MD5
1c2baa5d7024d2303de8d0d660783d39

SHA1
d0ffa409741a83401acc0e243f972bc5090bae08

SHA256
4620a043dfa5f4bda5b4ecdff9aefb2e71a66f589e6a6a81809b694837ee48e7

SHA512
ac2715ae59bd19bbeb81c6a38c3689268aa560d1bdb6c897e51eb8a863610fc84aa4c49016d511600724d45d9c3dbdfde527fc322750be57382604647f43c3db

Download Submit
\Users\Admin\AppData\Local\Temp\4029383487\backup.exe

Filesize
176KB

MD5
f484ae89ae6590fb7d07135c75931391

SHA1
98098d2609b04a0d34643e08859e880616695b6f

SHA256
8024151482a42f9c418466d408f8812c06be48e950784ba072475ad9aa36a2e2

SHA512
7ca285a4fa387704e2278b7af263351bdaaf84abfbfc90c08f85cc7815174a427dbe0954a57f6ed50b0498b731ca36b2d36c82ad985348feb32a3d10400cae10

Download Submit
\Users\Admin\AppData\Local\Temp\4029383487\backup.exe

Filesize
176KB

MD5
f484ae89ae6590fb7d07135c75931391

SHA1
98098d2609b04a0d34643e08859e880616695b6f

SHA256
8024151482a42f9c418466d408f8812c06be48e950784ba072475ad9aa36a2e2

SHA512
7ca285a4fa387704e2278b7af263351bdaaf84abfbfc90c08f85cc7815174a427dbe0954a57f6ed50b0498b731ca36b2d36c82ad985348feb32a3d10400cae10

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
6972f99b83ddcb7f93627d8d2acae66c

SHA1
e0e065a2e3866712f06d23f77f48720ec726122c

SHA256
ae77820790610ecf8a4c0881e64437b145ee57f445d63da302f655ad9e4614b8

SHA512
0a5fe089eb3bab9bb82fd94af272746b410a0ce898ffc4ae56a4bcddd71be4642f4c5cee11085ff76acfd37141795799a163a1a86d9c52537444aebdf095aea9

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
6972f99b83ddcb7f93627d8d2acae66c

SHA1
e0e065a2e3866712f06d23f77f48720ec726122c

SHA256
ae77820790610ecf8a4c0881e64437b145ee57f445d63da302f655ad9e4614b8

SHA512
0a5fe089eb3bab9bb82fd94af272746b410a0ce898ffc4ae56a4bcddd71be4642f4c5cee11085ff76acfd37141795799a163a1a86d9c52537444aebdf095aea9

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
6960ab1932a7ae655006066d0f61e9df

SHA1
f69198af2e7fbaea3b1cfc9bd62a8e9c2cb58fbf

SHA256
a98ead14d65d6432dfef8eae90c9cb9cbedc3162968808136cc9a2ae6d8c02d2

SHA512
05bd34777c19620e5c8cf083419918a9ee13af09647aa2f6942c3e737f1d2fd4023b106f9f2bc8d4a6b0d201ef1f68d5c0cc144267d37e94c68e027333f7d953

Download Submit
memory/580-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/580-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/580-201-0x0000000001D10000-0x0000000001D52000-memory.dmp

Filesize
264KB

Download
memory/948-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/948-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-269-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1176-271-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1184-284-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1184-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1184-285-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1184-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1472-235-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1472-288-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1472-234-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1472-236-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1472-289-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1472-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-244-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1644-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-166-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1672-219-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1672-243-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1672-246-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1756-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-149-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1756-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2004-148-0x0000000000550000-0x0000000000592000-memory.dmp

Filesize
264KB

Download
memory/2004-96-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2004-183-0x0000000000550000-0x0000000000592000-memory.dmp

Filesize
264KB

Download
memory/2004-172-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2408-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-204-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2408-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2408-125-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2436-131-0x0000000001D50000-0x0000000001D92000-memory.dmp

Filesize
264KB

Download
memory/2436-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-79-0x0000000001D50000-0x0000000001D92000-memory.dmp

Filesize
264KB

Download
memory/2492-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-21-0x00000000025C0000-0x0000000002602000-memory.dmp

Filesize
264KB

Download
memory/2596-117-0x00000000025C0000-0x0000000002602000-memory.dmp

Filesize
264KB

Download
memory/2596-83-0x00000000025C0000-0x0000000002602000-memory.dmp

Filesize
264KB

Download
memory/2596-93-0x00000000025C0000-0x0000000002602000-memory.dmp

Filesize
264KB

Download
memory/2596-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-203-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2596-268-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2644-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-274-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/2956-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-222-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/2956-226-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/2956-225-0x0000000000840000-0x0000000000882000-memory.dmp

Filesize
264KB

Download
memory/2956-287-0x00000000008A0000-0x00000000008E2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads