cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101

Analysis

max time kernel
62s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
Size

72KB
MD5

01f81552b3b5d45d33eed5117592ffce
SHA1

711a930a3b9c2fc418bcd12dcd2c1471dabae097
SHA256

cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101
SHA512

418be9ef31b65085af05594e76b7ac7a36d7d318a3f34160effe0155231846912c98dc144578daa989b13015c678c0e79e826352f124e2f34dff14782a2a6118
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyvUK:HeT7BVwxfvqguKRFAbK

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1160	backup.exe
880	backup.exe
960	backup.exe
1452	backup.exe
1356	backup.exe
2040	backup.exe
1892	backup.exe
1084	backup.exe
1836	backup.exe
1556	backup.exe
1636	backup.exe
1752	backup.exe
872	backup.exe
1316	backup.exe
268	backup.exe
1300	backup.exe
1600	backup.exe
1468	backup.exe
1524	backup.exe
616	backup.exe
1520	backup.exe
1696	System Restore.exe
1448	backup.exe
1900	backup.exe
2016	update.exe
1488	backup.exe
1676	backup.exe
592	backup.exe
1324	backup.exe
672	backup.exe
1960	backup.exe
1000	backup.exe
1692	backup.exe
1752	data.exe
776	backup.exe
552	update.exe
1404	backup.exe
1588	backup.exe
980	backup.exe
840	backup.exe
1712	backup.exe
1644	System Restore.exe
1652	backup.exe
976	backup.exe
1952	update.exe
1292	backup.exe
1736	backup.exe
1748	backup.exe
1740	backup.exe
1032	backup.exe
1428	backup.exe
1524	System Restore.exe
876	backup.exe
576	backup.exe
848	backup.exe
1696	backup.exe
1504	backup.exe
672	backup.exe
1040	backup.exe
1668	backup.exe
1488	backup.exe
432	backup.exe
108	backup.exe
556	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
1084	backup.exe
1084	backup.exe
1836	backup.exe
1836	backup.exe
1084	backup.exe
1084	backup.exe
1636	backup.exe
1636	backup.exe
1752	backup.exe
1752	backup.exe
1636	backup.exe
1636	backup.exe
1316	backup.exe
1316	backup.exe
268	backup.exe
268	backup.exe
268	backup.exe
268	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
528	backup.exe
2016	update.exe
2016	update.exe
2016	update.exe
528	backup.exe
528	backup.exe
268	backup.exe
268	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe
1676	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
1160	backup.exe
880	backup.exe
960	backup.exe
1452	backup.exe
1356	backup.exe
2040	backup.exe
1892	backup.exe
1084	backup.exe
1836	backup.exe
1556	backup.exe
1636	backup.exe
1752	backup.exe
872	backup.exe
1316	backup.exe
268	backup.exe
1300	backup.exe
1956	backup.exe
916	backup.exe
1652	backup.exe
1952	backup.exe
880	backup.exe
748	backup.exe
1736	backup.exe
1124	backup.exe
1180	backup.exe
1740	backup.exe
524	backup.exe
528	backup.exe
1468	backup.exe
1524	backup.exe
616	backup.exe
1520	backup.exe
1696	System Restore.exe
1448	backup.exe
1900	backup.exe
2016	update.exe
1488	backup.exe
872	System Restore.exe
432	backup.exe
1192	backup.exe
1848	update.exe
1268	backup.exe
1484	backup.exe
1300	backup.exe
1712	backup.exe
1780	backup.exe
1624	backup.exe
1744	backup.exe
796	backup.exe
1952	backup.exe
880	backup.exe
748	backup.exe
1736	backup.exe
1124	backup.exe
1180	backup.exe
1740	backup.exe
524	backup.exe
1472	backup.exe
1428	backup.exe
1948	backup.exe
1028	backup.exe
1088	System Restore.exe
1676	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1160	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	28
PID 584 wrote to memory of 1160	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	28
PID 584 wrote to memory of 1160	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	28
PID 584 wrote to memory of 1160	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	28
PID 584 wrote to memory of 880	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	29
PID 584 wrote to memory of 880	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	29
PID 584 wrote to memory of 880	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	29
PID 584 wrote to memory of 880	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	29
PID 584 wrote to memory of 960	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	30
PID 584 wrote to memory of 960	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	30
PID 584 wrote to memory of 960	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	30
PID 584 wrote to memory of 960	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	30
PID 584 wrote to memory of 1452	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	31
PID 584 wrote to memory of 1452	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	31
PID 584 wrote to memory of 1452	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	31
PID 584 wrote to memory of 1452	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	31
PID 584 wrote to memory of 1356	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	32
PID 584 wrote to memory of 1356	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	32
PID 584 wrote to memory of 1356	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	32
PID 584 wrote to memory of 1356	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	32
PID 584 wrote to memory of 2040	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	33
PID 584 wrote to memory of 2040	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	33
PID 584 wrote to memory of 2040	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	33
PID 584 wrote to memory of 2040	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	33
PID 584 wrote to memory of 1892	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	34
PID 584 wrote to memory of 1892	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	34
PID 584 wrote to memory of 1892	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	34
PID 584 wrote to memory of 1892	584	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe	34
PID 1160 wrote to memory of 1084	1160	backup.exe	35
PID 1160 wrote to memory of 1084	1160	backup.exe	35
PID 1160 wrote to memory of 1084	1160	backup.exe	35
PID 1160 wrote to memory of 1084	1160	backup.exe	35
PID 1084 wrote to memory of 1836	1084	backup.exe	36
PID 1084 wrote to memory of 1836	1084	backup.exe	36
PID 1084 wrote to memory of 1836	1084	backup.exe	36
PID 1084 wrote to memory of 1836	1084	backup.exe	36
PID 1836 wrote to memory of 1556	1836	backup.exe	37
PID 1836 wrote to memory of 1556	1836	backup.exe	37
PID 1836 wrote to memory of 1556	1836	backup.exe	37
PID 1836 wrote to memory of 1556	1836	backup.exe	37
PID 1084 wrote to memory of 1636	1084	backup.exe	38
PID 1084 wrote to memory of 1636	1084	backup.exe	38
PID 1084 wrote to memory of 1636	1084	backup.exe	38
PID 1084 wrote to memory of 1636	1084	backup.exe	38
PID 1636 wrote to memory of 1752	1636	backup.exe	39
PID 1636 wrote to memory of 1752	1636	backup.exe	39
PID 1636 wrote to memory of 1752	1636	backup.exe	39
PID 1636 wrote to memory of 1752	1636	backup.exe	39
PID 1752 wrote to memory of 872	1752	backup.exe	40
PID 1752 wrote to memory of 872	1752	backup.exe	40
PID 1752 wrote to memory of 872	1752	backup.exe	40
PID 1752 wrote to memory of 872	1752	backup.exe	40
PID 1636 wrote to memory of 1316	1636	backup.exe	41
PID 1636 wrote to memory of 1316	1636	backup.exe	41
PID 1636 wrote to memory of 1316	1636	backup.exe	41
PID 1636 wrote to memory of 1316	1636	backup.exe	41
PID 1316 wrote to memory of 268	1316	backup.exe	42
PID 1316 wrote to memory of 268	1316	backup.exe	42
PID 1316 wrote to memory of 268	1316	backup.exe	42
PID 1316 wrote to memory of 268	1316	backup.exe	42
PID 268 wrote to memory of 1300	268	backup.exe	43
PID 268 wrote to memory of 1300	268	backup.exe	43
PID 268 wrote to memory of 1300	268	backup.exe	43
PID 268 wrote to memory of 1300	268	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe
"C:\Users\Admin\AppData\Local\Temp\cd4708672055b1400229fe1609239122801f5f156abac7c2b0ce0e83a1a5b101.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:584
- C:\Users\Admin\AppData\Local\Temp\2420246755\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2420246755\backup.exe C:\Users\Admin\AppData\Local\Temp\2420246755\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1160
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1836
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1636
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1620
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        System policy modification
        
        PID:1696
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1488
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:108
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1480
        
        C:\Program Files\Common Files\System\ado\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\data.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:916
        
        C:\Program Files\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\data.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1836
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1400
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:980
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:672
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1524
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:432
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1448
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:576
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        System policy modification
        
        PID:1504
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1668
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:964
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:980
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:748
      - C:\Program Files\DVD Maker\Shared\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:616
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1756
      - C:\Program Files\Google\Chrome\System Restore.exe
        
        "C:\Program Files\Google\Chrome\System Restore.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:688
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:108
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1584
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1788
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1136
    - - C:\Program Files\Microsoft Office\update.exe
        
        "C:\Program Files\Microsoft Office\update.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1672
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:268
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:880
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System policy modification
      PID:848
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:672
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1316
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1792
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1452
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1324
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\Adobe\Help\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\update.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:320
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1756
      - C:\Program Files (x86)\Common Files\Adobe AIR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1664
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1376
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:576
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1036
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1684
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:568
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:964
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1656
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1396
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1428
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:1244
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1968
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1956
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1892
      - C:\Users\Admin\Documents\update.exe
        
        C:\Users\Admin\Documents\update.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1552
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1760
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1780
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1676
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:880
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:960
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
5f6e0a90f0bef5d460863d4f216a593c

SHA1
a5f79c5f09fd22af6830109ad0c054ee213f1f66

SHA256
993bdb7a443aceec72fcf7e4c055503494612f43aeb3ae12f7a1821bb6a7cfd4

SHA512
4a85e957db3784e104ab76d232d931c0c55770073d7605e8c48613a35f9a129ee4279aaa31a867c4bd49a9ce61f7d9385e9e99d7ff2c0457e2647ca3bfae96f6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17182e52b9180bb640fc52efa1c209bc

SHA1
2a0532e6bb21e57947662a5547f4f4c52d2cc421

SHA256
7e0d8634eb1a64c0b67e5bc51fe6737fb9310df3bf1bd6326ed60b257c980023

SHA512
8f1fda6fe46be32364c9329c30726e1d6f5de9463283b85ed50a19cc39c8953373ea74d3801d103907bce58675a7d8c6c7cd12907678df1c9d891d0053e2a42f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17182e52b9180bb640fc52efa1c209bc

SHA1
2a0532e6bb21e57947662a5547f4f4c52d2cc421

SHA256
7e0d8634eb1a64c0b67e5bc51fe6737fb9310df3bf1bd6326ed60b257c980023

SHA512
8f1fda6fe46be32364c9329c30726e1d6f5de9463283b85ed50a19cc39c8953373ea74d3801d103907bce58675a7d8c6c7cd12907678df1c9d891d0053e2a42f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d66251f89049eb53b495e10e3efd90ac

SHA1
d6cd2ca5a42bc1b6f003488acf29446527f0e358

SHA256
ee3c747eed974a53e6052f056ed4a41cecfe489bb7365f266db4d891a7409d6a

SHA512
1bee2b8db6193812c0650ce9c1d536abd80f1c841ac133b6ccc47099625b7f56e4946324e9b8ce0a461fc4d9808858531e9d82a5c6ecf7b68e9df941924a4e49

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d66251f89049eb53b495e10e3efd90ac

SHA1
d6cd2ca5a42bc1b6f003488acf29446527f0e358

SHA256
ee3c747eed974a53e6052f056ed4a41cecfe489bb7365f266db4d891a7409d6a

SHA512
1bee2b8db6193812c0650ce9c1d536abd80f1c841ac133b6ccc47099625b7f56e4946324e9b8ce0a461fc4d9808858531e9d82a5c6ecf7b68e9df941924a4e49

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2420246755\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2420246755\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0c745c7bd7905682874c11d4d7547b2a

SHA1
efb9f8e8a9aacbf3a7816d9ac7ef0347d746cafb

SHA256
030b3972ceadc21efe780c7473b12ffe9984be85b29c0d562756a3f51691c9ac

SHA512
0c34e0eb550f7671d179f10b3da43f425c0f462bbb6b79045e9ce592b933dac12a793c90730c1d8fe4ec651127784644d8d8d68c359a3ba3c41b1c90fc3d1626

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0c745c7bd7905682874c11d4d7547b2a

SHA1
efb9f8e8a9aacbf3a7816d9ac7ef0347d746cafb

SHA256
030b3972ceadc21efe780c7473b12ffe9984be85b29c0d562756a3f51691c9ac

SHA512
0c34e0eb550f7671d179f10b3da43f425c0f462bbb6b79045e9ce592b933dac12a793c90730c1d8fe4ec651127784644d8d8d68c359a3ba3c41b1c90fc3d1626

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
5f6e0a90f0bef5d460863d4f216a593c

SHA1
a5f79c5f09fd22af6830109ad0c054ee213f1f66

SHA256
993bdb7a443aceec72fcf7e4c055503494612f43aeb3ae12f7a1821bb6a7cfd4

SHA512
4a85e957db3784e104ab76d232d931c0c55770073d7605e8c48613a35f9a129ee4279aaa31a867c4bd49a9ce61f7d9385e9e99d7ff2c0457e2647ca3bfae96f6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
5f6e0a90f0bef5d460863d4f216a593c

SHA1
a5f79c5f09fd22af6830109ad0c054ee213f1f66

SHA256
993bdb7a443aceec72fcf7e4c055503494612f43aeb3ae12f7a1821bb6a7cfd4

SHA512
4a85e957db3784e104ab76d232d931c0c55770073d7605e8c48613a35f9a129ee4279aaa31a867c4bd49a9ce61f7d9385e9e99d7ff2c0457e2647ca3bfae96f6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bd4c14e2415472b0f88a30f2b4198b6e

SHA1
177cd904d179d25386765104853ed751fccc1387

SHA256
cdde5a27712684709a3be8e170dd31145f4e87f3731cf5ca99d8751c621d4343

SHA512
a570762f25e3c8601d11e10cd17e0d76bb613a50b49d22c7bdcdee615df9437db18f689bb83cf6643cb01b7284db840e3b36a847602b7eb7fe3673c6ebbc670a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17182e52b9180bb640fc52efa1c209bc

SHA1
2a0532e6bb21e57947662a5547f4f4c52d2cc421

SHA256
7e0d8634eb1a64c0b67e5bc51fe6737fb9310df3bf1bd6326ed60b257c980023

SHA512
8f1fda6fe46be32364c9329c30726e1d6f5de9463283b85ed50a19cc39c8953373ea74d3801d103907bce58675a7d8c6c7cd12907678df1c9d891d0053e2a42f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
17182e52b9180bb640fc52efa1c209bc

SHA1
2a0532e6bb21e57947662a5547f4f4c52d2cc421

SHA256
7e0d8634eb1a64c0b67e5bc51fe6737fb9310df3bf1bd6326ed60b257c980023

SHA512
8f1fda6fe46be32364c9329c30726e1d6f5de9463283b85ed50a19cc39c8953373ea74d3801d103907bce58675a7d8c6c7cd12907678df1c9d891d0053e2a42f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6155384f12ac3beb119772a941261341

SHA1
297c8b900189d238cb76bc803ce385d6a80df44d

SHA256
667ef9ede377502c805df871b5427e4783005a74a571465076fed29f43cb937a

SHA512
2a98657bb24d7a2b44778f6cbca2c3c0dfd837f38d4df40d800029fc93e834fdc90964cf991646bf9d67c0b6203b419bf5ea1fd0011bf5f73d0b42014d721a14

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
e1886d27b104a35f61a54d2562ad416a

SHA1
01f2f7265571d5140b2dbeb1b78702d9fbcfacac

SHA256
07a3188e48249c61d4edbd3f53f3296a5008d1645a68cf528a1bc801da94dedd

SHA512
bec9a194aed8986f5c4425c80c0b0bf177ebf618fffb1596c2336dc81081ed9f4892f7333fc06f241f90730d8deba0ed451b6bb00af13299b20e0d1f16b79454

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d66251f89049eb53b495e10e3efd90ac

SHA1
d6cd2ca5a42bc1b6f003488acf29446527f0e358

SHA256
ee3c747eed974a53e6052f056ed4a41cecfe489bb7365f266db4d891a7409d6a

SHA512
1bee2b8db6193812c0650ce9c1d536abd80f1c841ac133b6ccc47099625b7f56e4946324e9b8ce0a461fc4d9808858531e9d82a5c6ecf7b68e9df941924a4e49

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d66251f89049eb53b495e10e3efd90ac

SHA1
d6cd2ca5a42bc1b6f003488acf29446527f0e358

SHA256
ee3c747eed974a53e6052f056ed4a41cecfe489bb7365f266db4d891a7409d6a

SHA512
1bee2b8db6193812c0650ce9c1d536abd80f1c841ac133b6ccc47099625b7f56e4946324e9b8ce0a461fc4d9808858531e9d82a5c6ecf7b68e9df941924a4e49

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
987096603715829bf68f84eb2fb8c265

SHA1
51bba9cc34df275f64a1dba3dfa5d23bb7cdcc17

SHA256
b9d5183f108d4ae743006ead6255de1bd19cec91dca442e1309d8d4c07be066b

SHA512
a27de667e114eb4c912ae9a106acab8946592cad498211ecb06fbb182c07adcd08feab931c29def3ba3ab36746c11fc9608cb214699107be0f0c835047be25b3

Download Submit
\Users\Admin\AppData\Local\Temp\2420246755\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\2420246755\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ce555013d825a0856d7d4d9b0a52d9af

SHA1
a4b3334194fbf925c266ba2cc5098d1c451d2766

SHA256
db91a96bf54595c0d1dff6ced1d06ac3f45903162383ddd42e0bf58a37d4dea1

SHA512
62411b38ce4b349700512144c439e82fba4ea62cc436a5bf4b1d1b4c430b6d551cfa806dd257a4213ecfa69feb4b943a10a670af2603229a9610740078c5661e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a08929620095851650fb3804b0ad2695

SHA1
3d20b9e57ebb47d7044a19935a3098bd501c3108

SHA256
576f4e5f9eecbde3459fc04e8f7b4be101c1008b2c40005253edfcf30ead15ed

SHA512
b41abcb963c92012afc6dbe06cb9d2301a7361844e571fd65204fce9982f1e893098d688dc45f3538e76bde63a0cf9db917c283c28c8a3217dc6482ae1f038da

Download Submit
memory/108-389-0x0000000000000000-mapping.dmp

Download
memory/268-147-0x0000000000000000-mapping.dmp

Download
memory/432-386-0x0000000000000000-mapping.dmp

Download
memory/552-301-0x0000000000000000-mapping.dmp

Download
memory/556-393-0x0000000000000000-mapping.dmp

Download
memory/576-362-0x0000000000000000-mapping.dmp

Download
memory/584-98-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/584-159-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/592-277-0x0000000000000000-mapping.dmp

Download
memory/616-201-0x0000000000000000-mapping.dmp

Download
memory/672-371-0x0000000000000000-mapping.dmp

Download
memory/672-283-0x0000000000000000-mapping.dmp

Download
memory/776-298-0x0000000000000000-mapping.dmp

Download
memory/840-314-0x0000000000000000-mapping.dmp

Download
memory/848-361-0x0000000000000000-mapping.dmp

Download
memory/872-134-0x0000000000000000-mapping.dmp

Download
memory/876-360-0x0000000000000000-mapping.dmp

Download
memory/880-64-0x0000000000000000-mapping.dmp

Download
memory/960-70-0x0000000000000000-mapping.dmp

Download
memory/976-326-0x0000000000000000-mapping.dmp

Download
memory/980-311-0x0000000000000000-mapping.dmp

Download
memory/1000-289-0x0000000000000000-mapping.dmp

Download
memory/1032-349-0x0000000000000000-mapping.dmp

Download
memory/1040-379-0x0000000000000000-mapping.dmp

Download
memory/1084-100-0x0000000000000000-mapping.dmp

Download
memory/1160-58-0x0000000000000000-mapping.dmp

Download
memory/1292-333-0x0000000000000000-mapping.dmp

Download
memory/1300-154-0x0000000000000000-mapping.dmp

Download
memory/1316-140-0x0000000000000000-mapping.dmp

Download
memory/1324-280-0x0000000000000000-mapping.dmp

Download
memory/1356-82-0x0000000000000000-mapping.dmp

Download
memory/1404-305-0x0000000000000000-mapping.dmp

Download
memory/1428-353-0x0000000000000000-mapping.dmp

Download
memory/1448-210-0x0000000000000000-mapping.dmp

Download
memory/1452-76-0x0000000000000000-mapping.dmp

Download
memory/1468-189-0x0000000000000000-mapping.dmp

Download
memory/1488-220-0x0000000000000000-mapping.dmp

Download
memory/1488-380-0x0000000000000000-mapping.dmp

Download
memory/1504-370-0x0000000000000000-mapping.dmp

Download
memory/1520-204-0x0000000000000000-mapping.dmp

Download
memory/1524-357-0x0000000000000000-mapping.dmp

Download
memory/1524-195-0x0000000000000000-mapping.dmp

Download
memory/1556-114-0x0000000000000000-mapping.dmp

Download
memory/1588-308-0x0000000000000000-mapping.dmp

Download
memory/1600-161-0x0000000000000000-mapping.dmp

Download
memory/1636-120-0x0000000000000000-mapping.dmp

Download
memory/1644-320-0x0000000000000000-mapping.dmp

Download
memory/1652-323-0x0000000000000000-mapping.dmp

Download
memory/1668-378-0x0000000000000000-mapping.dmp

Download
memory/1676-274-0x0000000000000000-mapping.dmp

Download
memory/1692-292-0x0000000000000000-mapping.dmp

Download
memory/1696-369-0x0000000000000000-mapping.dmp

Download
memory/1696-207-0x0000000000000000-mapping.dmp

Download
memory/1712-317-0x0000000000000000-mapping.dmp

Download
memory/1736-337-0x0000000000000000-mapping.dmp

Download
memory/1740-345-0x0000000000000000-mapping.dmp

Download
memory/1748-341-0x0000000000000000-mapping.dmp

Download
memory/1752-127-0x0000000000000000-mapping.dmp

Download
memory/1752-295-0x0000000000000000-mapping.dmp

Download
memory/1836-107-0x0000000000000000-mapping.dmp

Download
memory/1892-94-0x0000000000000000-mapping.dmp

Download
memory/1900-213-0x0000000000000000-mapping.dmp

Download
memory/1952-329-0x0000000000000000-mapping.dmp

Download
memory/1960-286-0x0000000000000000-mapping.dmp

Download
memory/2016-216-0x0000000000000000-mapping.dmp

Download
memory/2040-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads