2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8

Analysis

max time kernel
46s
max time network
54s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
Size

72KB
MD5

6c9604a26404894270a5099c94c66cc4
SHA1

8a1674cc3d9751ea0c0614d556163034dd17ef7a
SHA256

2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8
SHA512

c7106d25c65ca5a7c4268762f58757fde10db4bd10ba04a56207566c20d6109de200f64c59f301f09ac6cdfc64fb1beb05f8bdbf476eb7ca6df6added18943d7
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k8I6:teThavEjDWguKUz6

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
840	backup.exe
1844	backup.exe
1124	backup.exe
276	backup.exe
268	backup.exe
1020	data.exe
596	backup.exe
1028	backup.exe
664	backup.exe
1052	update.exe
2016	backup.exe
1640	backup.exe
1276	backup.exe
1004	data.exe
1444	backup.exe
1412	backup.exe
836	backup.exe
112	update.exe
1844	backup.exe
1408	backup.exe
1656	backup.exe
568	data.exe
1756	backup.exe
1472	backup.exe
1020	backup.exe
980	backup.exe
1552	backup.exe
1548	backup.exe
1804	backup.exe
1788	backup.exe
960	backup.exe
2032	backup.exe
1932	backup.exe
1780	backup.exe
1104	backup.exe
1820	backup.exe
1664	backup.exe
1292	backup.exe
1640	backup.exe
1648	backup.exe
1636	update.exe
1372	backup.exe
1916	backup.exe
1148	backup.exe
1204	backup.exe
1620	backup.exe
580	backup.exe
308	backup.exe
468	update.exe
276	data.exe
1908	backup.exe
568	backup.exe
1756	backup.exe
1528	backup.exe
596	backup.exe
824	backup.exe
1612	backup.exe
1604	data.exe
1000	backup.exe
432	backup.exe
1976	backup.exe
1944	backup.exe
1816	backup.exe
1852	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
1028	backup.exe
1028	backup.exe
664	backup.exe
1052	update.exe
1052	update.exe
1052	update.exe
1028	backup.exe
1028	backup.exe
2016	backup.exe
2016	backup.exe
1640	backup.exe
1640	backup.exe
2016	backup.exe
2016	backup.exe
1004	data.exe
1004	data.exe
1444	backup.exe
1444	backup.exe
1444	backup.exe
1444	backup.exe
836	backup.exe
112	update.exe
112	update.exe
112	update.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
840	backup.exe
1844	backup.exe
1124	backup.exe
276	backup.exe
268	backup.exe
1020	data.exe
596	backup.exe
1028	backup.exe
664	backup.exe
1052	update.exe
2016	backup.exe
1640	backup.exe
1276	backup.exe
1004	data.exe
1444	backup.exe
1412	backup.exe
836	backup.exe
112	update.exe
1844	backup.exe
1408	backup.exe
1656	backup.exe
568	data.exe
1756	backup.exe
1472	backup.exe
1020	backup.exe
980	backup.exe
1552	backup.exe
1548	backup.exe
1804	backup.exe
1788	backup.exe
960	backup.exe
2032	backup.exe
1932	backup.exe
1780	backup.exe
1104	backup.exe
1820	backup.exe
1664	backup.exe
1292	backup.exe
1640	backup.exe
1648	backup.exe
1636	update.exe
1372	backup.exe
1916	backup.exe
1148	backup.exe
1204	backup.exe
1620	backup.exe
580	backup.exe
308	backup.exe
468	update.exe
276	data.exe
568	backup.exe
1908	backup.exe
1756	backup.exe
1528	backup.exe
596	backup.exe
824	backup.exe
1604	data.exe
1612	backup.exe
432	backup.exe
1000	backup.exe
1944	backup.exe
1976	backup.exe
1852	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 840	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	27
PID 1744 wrote to memory of 840	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	27
PID 1744 wrote to memory of 840	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	27
PID 1744 wrote to memory of 840	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	27
PID 1744 wrote to memory of 1844	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	28
PID 1744 wrote to memory of 1844	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	28
PID 1744 wrote to memory of 1844	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	28
PID 1744 wrote to memory of 1844	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	28
PID 1744 wrote to memory of 1124	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	29
PID 1744 wrote to memory of 1124	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	29
PID 1744 wrote to memory of 1124	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	29
PID 1744 wrote to memory of 1124	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	29
PID 1744 wrote to memory of 276	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	30
PID 1744 wrote to memory of 276	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	30
PID 1744 wrote to memory of 276	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	30
PID 1744 wrote to memory of 276	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	30
PID 1744 wrote to memory of 268	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	31
PID 1744 wrote to memory of 268	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	31
PID 1744 wrote to memory of 268	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	31
PID 1744 wrote to memory of 268	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	31
PID 1744 wrote to memory of 1020	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	32
PID 1744 wrote to memory of 1020	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	32
PID 1744 wrote to memory of 1020	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	32
PID 1744 wrote to memory of 1020	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	32
PID 1744 wrote to memory of 596	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	33
PID 1744 wrote to memory of 596	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	33
PID 1744 wrote to memory of 596	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	33
PID 1744 wrote to memory of 596	1744	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe	33
PID 840 wrote to memory of 1028	840	backup.exe	34
PID 840 wrote to memory of 1028	840	backup.exe	34
PID 840 wrote to memory of 1028	840	backup.exe	34
PID 840 wrote to memory of 1028	840	backup.exe	34
PID 1028 wrote to memory of 664	1028	backup.exe	35
PID 1028 wrote to memory of 664	1028	backup.exe	35
PID 1028 wrote to memory of 664	1028	backup.exe	35
PID 1028 wrote to memory of 664	1028	backup.exe	35
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 664 wrote to memory of 1052	664	backup.exe	36
PID 1028 wrote to memory of 2016	1028	backup.exe	37
PID 1028 wrote to memory of 2016	1028	backup.exe	37
PID 1028 wrote to memory of 2016	1028	backup.exe	37
PID 1028 wrote to memory of 2016	1028	backup.exe	37
PID 2016 wrote to memory of 1640	2016	backup.exe	38
PID 2016 wrote to memory of 1640	2016	backup.exe	38
PID 2016 wrote to memory of 1640	2016	backup.exe	38
PID 2016 wrote to memory of 1640	2016	backup.exe	38
PID 1640 wrote to memory of 1276	1640	backup.exe	39
PID 1640 wrote to memory of 1276	1640	backup.exe	39
PID 1640 wrote to memory of 1276	1640	backup.exe	39
PID 1640 wrote to memory of 1276	1640	backup.exe	39
PID 2016 wrote to memory of 1004	2016	backup.exe	40
PID 2016 wrote to memory of 1004	2016	backup.exe	40
PID 2016 wrote to memory of 1004	2016	backup.exe	40
PID 2016 wrote to memory of 1004	2016	backup.exe	40
PID 1004 wrote to memory of 1444	1004	data.exe	41
PID 1004 wrote to memory of 1444	1004	data.exe	41
PID 1004 wrote to memory of 1444	1004	data.exe	41
PID 1004 wrote to memory of 1444	1004	data.exe	41
PID 1444 wrote to memory of 1412	1444	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe
"C:\Users\Admin\AppData\Local\Temp\2f984eef6456ee2e9e3a4a3306e0ba629d91aae62bb2e2a32ae26747156f70f8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744
- C:\Users\Admin\AppData\Local\Temp\3592572625\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3592572625\backup.exe C:\Users\Admin\AppData\Local\Temp\3592572625\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:664
    - - C:\PerfLogs\Admin\update.exe
        
        C:\PerfLogs\Admin\update.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2016
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
    - - C:\Program Files\Common Files\data.exe
        
        "C:\Program Files\Common Files\data.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:660
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1788
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1816
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1036
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2044
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:360
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:812
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1552
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1364
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1936
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2104
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:308
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1852
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1292
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1412
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1408
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1704
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1856
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:572
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:996
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1636
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1236
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2112
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2208
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:640
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1164
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:696
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1748
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:896
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1252
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1572
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1992
    - - C:\Program Files\Reference Assemblies\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\System Restore.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2068
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2144
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1372
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Drops file in Program Files directory
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1500
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1516
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1532
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1164
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2152
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1720
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Google\Policies\data.exe
        
        "C:\Program Files (x86)\Google\Policies\data.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1660
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2028
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1204
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1688
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:432
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:764
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2032
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1356
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2088
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2172
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:328
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:520
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2120
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1640
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:276
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:268
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
C:\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e1aba43692d3f8b540d39ece0ce44a33

SHA1
f954855a3864dfd77f89e6a3414db90bc0ab4baa

SHA256
024c6a7ce1baf3de18292d654a21ca8d5212190439c0fe04654bf7a8f8075f48

SHA512
e699eab7af8b4f443909dd584c42bec2dccb5fc560ea7407da24325e75009739d731c4772ce65e677b33133ac7f1c30021038f69408d922745b9524389e1bf97

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e1aba43692d3f8b540d39ece0ce44a33

SHA1
f954855a3864dfd77f89e6a3414db90bc0ab4baa

SHA256
024c6a7ce1baf3de18292d654a21ca8d5212190439c0fe04654bf7a8f8075f48

SHA512
e699eab7af8b4f443909dd584c42bec2dccb5fc560ea7407da24325e75009739d731c4772ce65e677b33133ac7f1c30021038f69408d922745b9524389e1bf97

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e237b6baad386bcda22ac5254588f877

SHA1
17e78f3dedbe96b938822b83d5eb94e990ed7e61

SHA256
65b2f46d638b042a9f4b74e83b9e4585d861d047390a74f4043e4b518c2c6e53

SHA512
d63570faecebf2337eaf1e2e284877506dc16ebf46d192c2bd8874b95a23fa2babaf8e70d2a3b0925f5fa495a5fc0a1456229c0bd4aba8dbe857c3a759328f87

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
3dfc60d8c12e2ca22a225daf893bec84

SHA1
a8903be49a033eae51578a0da8bb61ee6ede3d70

SHA256
eb3489007489dd4eb5495b3296c5725cbd83672fbcf15bbc6f3b249641095e20

SHA512
d3ba61e7d69b964571317bbfd71ae52b5b16cb7c4cca87fd753f4366b3e51b0b8837cb04f655e05cf902a2c937177a066fbc8320fbf503032068ea66d4b72149

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
3dfc60d8c12e2ca22a225daf893bec84

SHA1
a8903be49a033eae51578a0da8bb61ee6ede3d70

SHA256
eb3489007489dd4eb5495b3296c5725cbd83672fbcf15bbc6f3b249641095e20

SHA512
d3ba61e7d69b964571317bbfd71ae52b5b16cb7c4cca87fd753f4366b3e51b0b8837cb04f655e05cf902a2c937177a066fbc8320fbf503032068ea66d4b72149

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e4493b5be872b78a8c6d35864e28d3c9

SHA1
0ebd55eb2ed30988d351fb234e2d026d7489d17a

SHA256
6f54a4a02a5442527bbee9cf1131a24b65894e894ee38f5a3729d73c8441f8a3

SHA512
77f728c0c0c2b3616715dbaa82392b6f68a1664514d673e286e477b4cd9853f1e07ef12aa251bedfb1041cf67f8cdc61c0a57861b55032eea386e3f247c4b3bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e4493b5be872b78a8c6d35864e28d3c9

SHA1
0ebd55eb2ed30988d351fb234e2d026d7489d17a

SHA256
6f54a4a02a5442527bbee9cf1131a24b65894e894ee38f5a3729d73c8441f8a3

SHA512
77f728c0c0c2b3616715dbaa82392b6f68a1664514d673e286e477b4cd9853f1e07ef12aa251bedfb1041cf67f8cdc61c0a57861b55032eea386e3f247c4b3bf

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
45bbd1261f9ff2eb2a91e7b9d79dfc3e

SHA1
490f10026754759a359c5aed1ce74262e4dfb1bf

SHA256
4ec543ab113169ca71bc84a4d8e873d308e54eddbf468fdea41e4b7925788608

SHA512
626e309ad35ffc485ffea2e9286688f431e4327edb00e51a7dda47799a227b243610f7fd1c0c76b4de320f8e2a658579ed66a454be36e028353a7e9987aa1156

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
45bbd1261f9ff2eb2a91e7b9d79dfc3e

SHA1
490f10026754759a359c5aed1ce74262e4dfb1bf

SHA256
4ec543ab113169ca71bc84a4d8e873d308e54eddbf468fdea41e4b7925788608

SHA512
626e309ad35ffc485ffea2e9286688f431e4327edb00e51a7dda47799a227b243610f7fd1c0c76b4de320f8e2a658579ed66a454be36e028353a7e9987aa1156

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
b748c9abb62a45ad03ab6b01891d3f9d

SHA1
c752e7cec9aee104cc1af24090dae7dd17aed4b5

SHA256
c588d5734d877f901adcc2fbbd9558ed326c46170ea1485e71253e3cbcda7b5d

SHA512
67580647c7a2d7a785e62afc318073881d5acf61993b5d6a0a3427cd8581bbb87db3dd3b416c2757e7f092b01d5920b58c601946e0df460ba1230bbc6c9f6be0

Download Submit
C:\Program Files\Common Files\data.exe

Filesize
72KB

MD5
b748c9abb62a45ad03ab6b01891d3f9d

SHA1
c752e7cec9aee104cc1af24090dae7dd17aed4b5

SHA256
c588d5734d877f901adcc2fbbd9558ed326c46170ea1485e71253e3cbcda7b5d

SHA512
67580647c7a2d7a785e62afc318073881d5acf61993b5d6a0a3427cd8581bbb87db3dd3b416c2757e7f092b01d5920b58c601946e0df460ba1230bbc6c9f6be0

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d25eb13c36f2a58877937e6a1e8b72e6

SHA1
d9ded5ff0872eebd127a3c1c5668348409cd2724

SHA256
f1cd58953fbc85340a6b52aebe441cbe6bdbee250391e641690d2d91e5b9a899

SHA512
52d0bfe81972a44755360ea960008e32444fd5c78dc5af20b35c03ddb80439d7013f48d31fd2809b2df4022ab2187635cdc1f95a25ab93e19e3c1abc78e09804

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d25eb13c36f2a58877937e6a1e8b72e6

SHA1
d9ded5ff0872eebd127a3c1c5668348409cd2724

SHA256
f1cd58953fbc85340a6b52aebe441cbe6bdbee250391e641690d2d91e5b9a899

SHA512
52d0bfe81972a44755360ea960008e32444fd5c78dc5af20b35c03ddb80439d7013f48d31fd2809b2df4022ab2187635cdc1f95a25ab93e19e3c1abc78e09804

Download Submit
C:\Users\Admin\AppData\Local\Temp\3592572625\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3592572625\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e70fcc0934d1f297593e91c133737e3c

SHA1
f17e98472a376363f21719b7d69dc0da1139d399

SHA256
b6748b1f46d245fbaf883a43a13dfb28168bc19d08a271acd94e7c8e729446e0

SHA512
19f372060738fedc1473347b09d2f55fb26612382fb1f2104703a2fa8ab2dceaf2717d2e446ce429b7eef8aa99aac8a0b659284033c99338781f0cd27867cac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d55fc99656ff16e73411dc7bf1b8cfc3

SHA1
0e7f0cc6c46807a53df41df0883b9d058cdeedb6

SHA256
f9b3482211d852174cbca0a19a65dd9ff6745ab0fe0b911abda4829e2e0c6c84

SHA512
20543c33a0f1549714a5b1eacb98a2d00c8ab9b53e3dda3d5de2e5a10fb0e1642681fec28048093b88549290cb012a8e057026c21b80201742e2a23f647ab739

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d55fc99656ff16e73411dc7bf1b8cfc3

SHA1
0e7f0cc6c46807a53df41df0883b9d058cdeedb6

SHA256
f9b3482211d852174cbca0a19a65dd9ff6745ab0fe0b911abda4829e2e0c6c84

SHA512
20543c33a0f1549714a5b1eacb98a2d00c8ab9b53e3dda3d5de2e5a10fb0e1642681fec28048093b88549290cb012a8e057026c21b80201742e2a23f647ab739

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
\PerfLogs\Admin\update.exe

Filesize
72KB

MD5
6820655f72a4478d5be8e520609a9cef

SHA1
02770d3eeff75ffe4621a2ff0dc02b4e04ed664b

SHA256
6d7c9ed40423b257593e654da3550d8bee3f4db5048ad3e7b79afed07a0606ec

SHA512
4199288c81b54ce3a9ae9c74cf5b58b497eade6f1f4c5fcbe308c64cc678e4c13589de2a6188ac993d433ce06fec78e5395ef2b0269b07cd07b11f95c8a98fa9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e1aba43692d3f8b540d39ece0ce44a33

SHA1
f954855a3864dfd77f89e6a3414db90bc0ab4baa

SHA256
024c6a7ce1baf3de18292d654a21ca8d5212190439c0fe04654bf7a8f8075f48

SHA512
e699eab7af8b4f443909dd584c42bec2dccb5fc560ea7407da24325e75009739d731c4772ce65e677b33133ac7f1c30021038f69408d922745b9524389e1bf97

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e1aba43692d3f8b540d39ece0ce44a33

SHA1
f954855a3864dfd77f89e6a3414db90bc0ab4baa

SHA256
024c6a7ce1baf3de18292d654a21ca8d5212190439c0fe04654bf7a8f8075f48

SHA512
e699eab7af8b4f443909dd584c42bec2dccb5fc560ea7407da24325e75009739d731c4772ce65e677b33133ac7f1c30021038f69408d922745b9524389e1bf97

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e237b6baad386bcda22ac5254588f877

SHA1
17e78f3dedbe96b938822b83d5eb94e990ed7e61

SHA256
65b2f46d638b042a9f4b74e83b9e4585d861d047390a74f4043e4b518c2c6e53

SHA512
d63570faecebf2337eaf1e2e284877506dc16ebf46d192c2bd8874b95a23fa2babaf8e70d2a3b0925f5fa495a5fc0a1456229c0bd4aba8dbe857c3a759328f87

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e237b6baad386bcda22ac5254588f877

SHA1
17e78f3dedbe96b938822b83d5eb94e990ed7e61

SHA256
65b2f46d638b042a9f4b74e83b9e4585d861d047390a74f4043e4b518c2c6e53

SHA512
d63570faecebf2337eaf1e2e284877506dc16ebf46d192c2bd8874b95a23fa2babaf8e70d2a3b0925f5fa495a5fc0a1456229c0bd4aba8dbe857c3a759328f87

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
3dfc60d8c12e2ca22a225daf893bec84

SHA1
a8903be49a033eae51578a0da8bb61ee6ede3d70

SHA256
eb3489007489dd4eb5495b3296c5725cbd83672fbcf15bbc6f3b249641095e20

SHA512
d3ba61e7d69b964571317bbfd71ae52b5b16cb7c4cca87fd753f4366b3e51b0b8837cb04f655e05cf902a2c937177a066fbc8320fbf503032068ea66d4b72149

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
3dfc60d8c12e2ca22a225daf893bec84

SHA1
a8903be49a033eae51578a0da8bb61ee6ede3d70

SHA256
eb3489007489dd4eb5495b3296c5725cbd83672fbcf15bbc6f3b249641095e20

SHA512
d3ba61e7d69b964571317bbfd71ae52b5b16cb7c4cca87fd753f4366b3e51b0b8837cb04f655e05cf902a2c937177a066fbc8320fbf503032068ea66d4b72149

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e4493b5be872b78a8c6d35864e28d3c9

SHA1
0ebd55eb2ed30988d351fb234e2d026d7489d17a

SHA256
6f54a4a02a5442527bbee9cf1131a24b65894e894ee38f5a3729d73c8441f8a3

SHA512
77f728c0c0c2b3616715dbaa82392b6f68a1664514d673e286e477b4cd9853f1e07ef12aa251bedfb1041cf67f8cdc61c0a57861b55032eea386e3f247c4b3bf

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
e4493b5be872b78a8c6d35864e28d3c9

SHA1
0ebd55eb2ed30988d351fb234e2d026d7489d17a

SHA256
6f54a4a02a5442527bbee9cf1131a24b65894e894ee38f5a3729d73c8441f8a3

SHA512
77f728c0c0c2b3616715dbaa82392b6f68a1664514d673e286e477b4cd9853f1e07ef12aa251bedfb1041cf67f8cdc61c0a57861b55032eea386e3f247c4b3bf

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
45bbd1261f9ff2eb2a91e7b9d79dfc3e

SHA1
490f10026754759a359c5aed1ce74262e4dfb1bf

SHA256
4ec543ab113169ca71bc84a4d8e873d308e54eddbf468fdea41e4b7925788608

SHA512
626e309ad35ffc485ffea2e9286688f431e4327edb00e51a7dda47799a227b243610f7fd1c0c76b4de320f8e2a658579ed66a454be36e028353a7e9987aa1156

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
45bbd1261f9ff2eb2a91e7b9d79dfc3e

SHA1
490f10026754759a359c5aed1ce74262e4dfb1bf

SHA256
4ec543ab113169ca71bc84a4d8e873d308e54eddbf468fdea41e4b7925788608

SHA512
626e309ad35ffc485ffea2e9286688f431e4327edb00e51a7dda47799a227b243610f7fd1c0c76b4de320f8e2a658579ed66a454be36e028353a7e9987aa1156

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
0c915f07f368a4f7e0a0dd014c2755a0

SHA1
bcdbde304a97079f534d85dcfc31262261182117

SHA256
166d10bb51e52f0c3d1d7b0e29bc48940e66d34e83acff361fb62b8c0f8138cd

SHA512
91bd5d272885001e213e49aad234026e4b3ce6563513518fab2485925fee95f451b18c8ee0610604a63f444dd599e5077e63457456dcaa5677398f1e18f250ae

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
b748c9abb62a45ad03ab6b01891d3f9d

SHA1
c752e7cec9aee104cc1af24090dae7dd17aed4b5

SHA256
c588d5734d877f901adcc2fbbd9558ed326c46170ea1485e71253e3cbcda7b5d

SHA512
67580647c7a2d7a785e62afc318073881d5acf61993b5d6a0a3427cd8581bbb87db3dd3b416c2757e7f092b01d5920b58c601946e0df460ba1230bbc6c9f6be0

Download Submit
\Program Files\Common Files\data.exe

Filesize
72KB

MD5
b748c9abb62a45ad03ab6b01891d3f9d

SHA1
c752e7cec9aee104cc1af24090dae7dd17aed4b5

SHA256
c588d5734d877f901adcc2fbbd9558ed326c46170ea1485e71253e3cbcda7b5d

SHA512
67580647c7a2d7a785e62afc318073881d5acf61993b5d6a0a3427cd8581bbb87db3dd3b416c2757e7f092b01d5920b58c601946e0df460ba1230bbc6c9f6be0

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d25eb13c36f2a58877937e6a1e8b72e6

SHA1
d9ded5ff0872eebd127a3c1c5668348409cd2724

SHA256
f1cd58953fbc85340a6b52aebe441cbe6bdbee250391e641690d2d91e5b9a899

SHA512
52d0bfe81972a44755360ea960008e32444fd5c78dc5af20b35c03ddb80439d7013f48d31fd2809b2df4022ab2187635cdc1f95a25ab93e19e3c1abc78e09804

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d25eb13c36f2a58877937e6a1e8b72e6

SHA1
d9ded5ff0872eebd127a3c1c5668348409cd2724

SHA256
f1cd58953fbc85340a6b52aebe441cbe6bdbee250391e641690d2d91e5b9a899

SHA512
52d0bfe81972a44755360ea960008e32444fd5c78dc5af20b35c03ddb80439d7013f48d31fd2809b2df4022ab2187635cdc1f95a25ab93e19e3c1abc78e09804

Download Submit
\Users\Admin\AppData\Local\Temp\3592572625\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\3592572625\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e70fcc0934d1f297593e91c133737e3c

SHA1
f17e98472a376363f21719b7d69dc0da1139d399

SHA256
b6748b1f46d245fbaf883a43a13dfb28168bc19d08a271acd94e7c8e729446e0

SHA512
19f372060738fedc1473347b09d2f55fb26612382fb1f2104703a2fa8ab2dceaf2717d2e446ce429b7eef8aa99aac8a0b659284033c99338781f0cd27867cac1

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e70fcc0934d1f297593e91c133737e3c

SHA1
f17e98472a376363f21719b7d69dc0da1139d399

SHA256
b6748b1f46d245fbaf883a43a13dfb28168bc19d08a271acd94e7c8e729446e0

SHA512
19f372060738fedc1473347b09d2f55fb26612382fb1f2104703a2fa8ab2dceaf2717d2e446ce429b7eef8aa99aac8a0b659284033c99338781f0cd27867cac1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
7ea45b1d25b4357b5486ab003ef7a56a

SHA1
e1d8fb65250de5f9c8b940a6b62e34976e3b452a

SHA256
fd3e389c24c7979c636934ba879971edf834951ca65633dde8285854a737c66a

SHA512
aaead8b93bc23293e610a8d3c0c428d1ae97bfbc416c4ecc3a97a13949f1cdc0f2257625c410c49e1e3b14b6d3fff1eb946fde273e1a57718da91b221488c3ec

Download Submit
memory/1744-98-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1744-111-0x0000000073FE1000-0x0000000073FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads