ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9

Analysis

max time kernel
25s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
Size

72KB
MD5

662c2f3613700ed3be7e787c4de27529
SHA1

dde054eaf80b882cb7c8432b7dc8af5d4f8dd222
SHA256

ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9
SHA512

3da0a12ed57965f5f80a88813cfae277167044ac62ace5b2a074d50ce42ee220a033723a2d90d62598aa75d9a5612f632a97dd6b3c7e2f0b4bed5ca6f6d71ab9
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr9e4:teThavEjDWguK9R

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1300	backup.exe
568	backup.exe
688	backup.exe
108	backup.exe
1036	backup.exe
636	backup.exe
556	backup.exe
1540	backup.exe
1900	backup.exe
1904	backup.exe
1656	backup.exe
1996	backup.exe
1752	backup.exe
1180	backup.exe
772	data.exe
1096	update.exe
1756	backup.exe
1612	backup.exe
1328	backup.exe
1100	backup.exe
332	backup.exe
108	backup.exe
1052	backup.exe
1536	backup.exe
1828	backup.exe
1604	System Restore.exe
1928	backup.exe
1716	backup.exe
1804	backup.exe
1952	backup.exe
1916	backup.exe
1664	backup.exe
1904	backup.exe
1644	backup.exe
2028	backup.exe
1652	backup.exe
580	backup.exe
1752	backup.exe
1168	backup.exe
304	backup.exe
1108	backup.exe
1132	backup.exe
1744	backup.exe
1676	backup.exe
1056	backup.exe
1616	backup.exe
1492	backup.exe
876	data.exe
1344	backup.exe
1012	backup.exe
332	backup.exe
1036	backup.exe
1028	backup.exe
536	backup.exe
1536	backup.exe
1828	backup.exe
1928	backup.exe
1932	backup.exe
1668	backup.exe
1388	DllHost.exe
1912	backup.exe
1080	backup.exe
1816	backup.exe
1944	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
1540	backup.exe
1540	backup.exe
1900	backup.exe
1900	backup.exe
1540	backup.exe
1540	backup.exe
1656	backup.exe
1656	backup.exe
1996	backup.exe
1996	backup.exe
1656	backup.exe
1656	backup.exe
1180	backup.exe
1180	backup.exe
772	data.exe
1096	update.exe
1096	update.exe
1096	update.exe
772	data.exe
772	data.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe
1804	backup.exe

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
1300	backup.exe
568	backup.exe
688	backup.exe
108	backup.exe
1036	backup.exe
636	backup.exe
556	backup.exe
1540	backup.exe
1900	backup.exe
1904	backup.exe
1656	backup.exe
1996	backup.exe
1752	backup.exe
1180	backup.exe
772	data.exe
1096	update.exe
1756	backup.exe
1612	backup.exe
1328	backup.exe
1100	backup.exe
332	backup.exe
108	backup.exe
1052	backup.exe
1536	backup.exe
1828	backup.exe
1604	System Restore.exe
1928	backup.exe
1716	backup.exe
1804	backup.exe
1952	backup.exe
1916	backup.exe
1664	backup.exe
1904	backup.exe
1644	backup.exe
2028	backup.exe
580	backup.exe
1652	backup.exe
1168	backup.exe
1752	backup.exe
304	backup.exe
1108	backup.exe
1132	backup.exe
1676	backup.exe
1744	backup.exe
1056	backup.exe
1616	backup.exe
1492	backup.exe
1344	backup.exe
876	data.exe
1012	backup.exe
332	backup.exe
1036	backup.exe
1028	backup.exe
1536	backup.exe
1828	backup.exe
1928	backup.exe
1932	backup.exe
1668	backup.exe
1388	DllHost.exe
1816	backup.exe
1912	backup.exe
1080	backup.exe
1944	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1300	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	27
PID 840 wrote to memory of 1300	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	27
PID 840 wrote to memory of 1300	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	27
PID 840 wrote to memory of 1300	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	27
PID 840 wrote to memory of 568	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	28
PID 840 wrote to memory of 568	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	28
PID 840 wrote to memory of 568	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	28
PID 840 wrote to memory of 568	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	28
PID 840 wrote to memory of 688	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	29
PID 840 wrote to memory of 688	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	29
PID 840 wrote to memory of 688	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	29
PID 840 wrote to memory of 688	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	29
PID 840 wrote to memory of 108	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	30
PID 840 wrote to memory of 108	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	30
PID 840 wrote to memory of 108	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	30
PID 840 wrote to memory of 108	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	30
PID 840 wrote to memory of 1036	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	31
PID 840 wrote to memory of 1036	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	31
PID 840 wrote to memory of 1036	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	31
PID 840 wrote to memory of 1036	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	31
PID 840 wrote to memory of 636	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	32
PID 840 wrote to memory of 636	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	32
PID 840 wrote to memory of 636	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	32
PID 840 wrote to memory of 636	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	32
PID 840 wrote to memory of 556	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	33
PID 840 wrote to memory of 556	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	33
PID 840 wrote to memory of 556	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	33
PID 840 wrote to memory of 556	840	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe	33
PID 1300 wrote to memory of 1540	1300	backup.exe	34
PID 1300 wrote to memory of 1540	1300	backup.exe	34
PID 1300 wrote to memory of 1540	1300	backup.exe	34
PID 1300 wrote to memory of 1540	1300	backup.exe	34
PID 1540 wrote to memory of 1900	1540	backup.exe	35
PID 1540 wrote to memory of 1900	1540	backup.exe	35
PID 1540 wrote to memory of 1900	1540	backup.exe	35
PID 1540 wrote to memory of 1900	1540	backup.exe	35
PID 1900 wrote to memory of 1904	1900	backup.exe	36
PID 1900 wrote to memory of 1904	1900	backup.exe	36
PID 1900 wrote to memory of 1904	1900	backup.exe	36
PID 1900 wrote to memory of 1904	1900	backup.exe	36
PID 1540 wrote to memory of 1656	1540	backup.exe	37
PID 1540 wrote to memory of 1656	1540	backup.exe	37
PID 1540 wrote to memory of 1656	1540	backup.exe	37
PID 1540 wrote to memory of 1656	1540	backup.exe	37
PID 1656 wrote to memory of 1996	1656	backup.exe	38
PID 1656 wrote to memory of 1996	1656	backup.exe	38
PID 1656 wrote to memory of 1996	1656	backup.exe	38
PID 1656 wrote to memory of 1996	1656	backup.exe	38
PID 1996 wrote to memory of 1752	1996	backup.exe	39
PID 1996 wrote to memory of 1752	1996	backup.exe	39
PID 1996 wrote to memory of 1752	1996	backup.exe	39
PID 1996 wrote to memory of 1752	1996	backup.exe	39
PID 1656 wrote to memory of 1180	1656	backup.exe	40
PID 1656 wrote to memory of 1180	1656	backup.exe	40
PID 1656 wrote to memory of 1180	1656	backup.exe	40
PID 1656 wrote to memory of 1180	1656	backup.exe	40
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 1180 wrote to memory of 772	1180	backup.exe	41
PID 772 wrote to memory of 1096	772	data.exe	42
PID 772 wrote to memory of 1096	772	data.exe	42
PID 772 wrote to memory of 1096	772	data.exe	42
PID 772 wrote to memory of 1096	772	data.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe
"C:\Users\Admin\AppData\Local\Temp\ac9222ab7400d741ca1bb30e514ac0b54d2edbd21e134084ccf4d40c89224aa9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:840
- C:\Users\Admin\AppData\Local\Temp\15472481\backup.exe
  C:\Users\Admin\AppData\Local\Temp\15472481\backup.exe C:\Users\Admin\AppData\Local\Temp\15472481\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1300
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1540
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1900
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1656
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1996
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1180
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2208
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1236
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:564
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1680
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
      - C:\Program Files\Common Files\SpeechEngines\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\data.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:876
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1536
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1752
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1200
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1836
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1604
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:544
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1904
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1032
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1700
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1132
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1344
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1388
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1944
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2040
      - C:\Program Files\DVD Maker\Shared\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1344
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1700
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1952
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1984
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1092
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:320
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:276
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:524
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1564
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1312
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1564
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2136
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2228
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:636
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1392
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1140
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:276
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2184
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1328
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1960
    - - C:\Program Files\Mozilla Firefox\update.exe
        
        "C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1928
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1012
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2128
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2236
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1652
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2024
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Drops file in Program Files directory
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1092
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1624
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1108
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1720
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:588
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:584
    - - C:\Program Files (x86)\Microsoft Sync Framework\data.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\data.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2216
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1616
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1824
      - C:\Users\Admin\Contacts\data.exe
        
        C:\Users\Admin\Contacts\data.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1100
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1052
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1028
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1704
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:876
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:916
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1460
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1412
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2020
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2080
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2200
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1956
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1488
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:688
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:108
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:636
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a1b6c6ecb0f0c3ac0458cfbaeee2e63e

SHA1
2424f41e7f421453bdc24b345946fe4af9bfd861

SHA256
5a95ec430ae85c0ecf6363b24f2dedca5ece4b4241fa189adcc722a7dc8ca19f

SHA512
9106638190343c70f7612c81367dd6f5b8572e9715fb5645c9333bb641c82629b8a01602533718f7451c3ffb33683de287030ed26dd7f95c202442ad98d8b080

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
25859d8e2e133d1398d4ac26e0fb05d0

SHA1
2f8eec0abcbfa960002963668a024751e25f1e5e

SHA256
f39826ff8fc99a70362628f2b30a1cbccc469c5d6ce0a221fd3fddeacf1c442c

SHA512
d3b213524a59556ed5041b800f3a6f1e6802ab8ca1114cdac0be99552cba2ef52a50b2a4a492886867d29a56b8dc75ee5920a1b72a6385a34f7e5788b42e7f15

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
25859d8e2e133d1398d4ac26e0fb05d0

SHA1
2f8eec0abcbfa960002963668a024751e25f1e5e

SHA256
f39826ff8fc99a70362628f2b30a1cbccc469c5d6ce0a221fd3fddeacf1c442c

SHA512
d3b213524a59556ed5041b800f3a6f1e6802ab8ca1114cdac0be99552cba2ef52a50b2a4a492886867d29a56b8dc75ee5920a1b72a6385a34f7e5788b42e7f15

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bfbc42241848c2a17c49e6addf992be5

SHA1
de781ababb88072595445855d58fe91be29f082b

SHA256
82b1d2605aad61ded8d274992c58645806cb3dbd3a9c3cc84aaebe90b59e833e

SHA512
487fe8edec9acdca2f6ce9b47ed576090408a64b12a3f789d7271c685c3ee69b29f83ca33126798c936c6e25cb61667929a2aa0f380fca275f5d2791677d8918

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25edad9786cb057e777e79ce35ae26c1

SHA1
47a5aa7eefbdebab22e0a9558f66851963c487fc

SHA256
4b5a9d8a76dc438785e97a06580f558b5f8e4c89d365bec14b7c48762dbe9f57

SHA512
a2604f6a19b264fa8040bfe217d40a0a3691a7721f80bc9016f8ce09ab5d7ab7cd7d9288ec0053f42b2014173af58ecc7ee3a840edd7f65ec892769bf2bee1ae

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25edad9786cb057e777e79ce35ae26c1

SHA1
47a5aa7eefbdebab22e0a9558f66851963c487fc

SHA256
4b5a9d8a76dc438785e97a06580f558b5f8e4c89d365bec14b7c48762dbe9f57

SHA512
a2604f6a19b264fa8040bfe217d40a0a3691a7721f80bc9016f8ce09ab5d7ab7cd7d9288ec0053f42b2014173af58ecc7ee3a840edd7f65ec892769bf2bee1ae

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
f8de6bdee8182ab0fd30c559e06b490e

SHA1
0258ebe71f14ef299f3942f5df2731998af1e508

SHA256
6091721f9b8e7339c6827b960ac5555b583929c0a9a48e85920e2c633bf386e9

SHA512
fa1459e0968869011e550c672ae7566efb98229aed9be824c5fa5548b730820c246d99a4da1a016dd4531bc392c9ad54f7cec38f4c4cad0b1ee6f946fb4a9e17

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
f8de6bdee8182ab0fd30c559e06b490e

SHA1
0258ebe71f14ef299f3942f5df2731998af1e508

SHA256
6091721f9b8e7339c6827b960ac5555b583929c0a9a48e85920e2c633bf386e9

SHA512
fa1459e0968869011e550c672ae7566efb98229aed9be824c5fa5548b730820c246d99a4da1a016dd4531bc392c9ad54f7cec38f4c4cad0b1ee6f946fb4a9e17

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6055fb7491e0b2d09d7f2c6d9211a1e3

SHA1
6c497e9655b543dd824ebe632375eea8aaa0c2d5

SHA256
10a9535a7344644c0a435025353cb7a815129646886d07ea9216be79680dbd56

SHA512
e2193a8510ebc5a7bd81620b49918a28533f0d4b6a76c4e29e673044035ce7d87694ed12b5b657264aa6661b474523c34fa3ab83fa974e1ce5d6c7f19957db2f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9536a06568aee0b7cc6fe8555ef9d1cd

SHA1
4b110e94195bdc784095fd6550586761f6a24f58

SHA256
97e996f38efcf96f4146ef5169261c0928a0c62f20a65d3787b6cdfa1eeb8f8a

SHA512
136c225252b939ca43222746dcd5ea08cff2aae4a2ade11b69da3fb608f687f17dbb32c8133975bed72a17515f1af2f36bc8ee73f9fff0fe55d1d93b5f89d3df

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9536a06568aee0b7cc6fe8555ef9d1cd

SHA1
4b110e94195bdc784095fd6550586761f6a24f58

SHA256
97e996f38efcf96f4146ef5169261c0928a0c62f20a65d3787b6cdfa1eeb8f8a

SHA512
136c225252b939ca43222746dcd5ea08cff2aae4a2ade11b69da3fb608f687f17dbb32c8133975bed72a17515f1af2f36bc8ee73f9fff0fe55d1d93b5f89d3df

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
973f32a21a0c36a64583a7f1c0836b24

SHA1
a3be530542d75b83d68d02722c6d6898f1b62359

SHA256
56125e919995d1c8a9580892f6715784e749b3e40509017e25d6b139603e5385

SHA512
e6d2363934758475f9b75ec82a48687736e1619dd8c5eef0c04f4064a279c0a533f6f2b73627324fa5f9bee9e90f8661578bd313c6d04c9c3765608ffc47a03a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
973f32a21a0c36a64583a7f1c0836b24

SHA1
a3be530542d75b83d68d02722c6d6898f1b62359

SHA256
56125e919995d1c8a9580892f6715784e749b3e40509017e25d6b139603e5385

SHA512
e6d2363934758475f9b75ec82a48687736e1619dd8c5eef0c04f4064a279c0a533f6f2b73627324fa5f9bee9e90f8661578bd313c6d04c9c3765608ffc47a03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15472481\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\15472481\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9ec79db82cee8ec8383cac881daebdd8

SHA1
fc5c414de7deb2875b5ff4186c87e4ccecc569de

SHA256
0fc8c135fbea40b9a4de38aafb1308766f4d94c2081734b087e852f51660e2f7

SHA512
ec749cf79226905678c19e0cdd30e5a157d5671dc9679d8b3e981ded6f631665e8709b33cd053fb435fa965ab5f01320cf359baf3cd19b67e52dacdd41cc2c45

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9ec79db82cee8ec8383cac881daebdd8

SHA1
fc5c414de7deb2875b5ff4186c87e4ccecc569de

SHA256
0fc8c135fbea40b9a4de38aafb1308766f4d94c2081734b087e852f51660e2f7

SHA512
ec749cf79226905678c19e0cdd30e5a157d5671dc9679d8b3e981ded6f631665e8709b33cd053fb435fa965ab5f01320cf359baf3cd19b67e52dacdd41cc2c45

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a1b6c6ecb0f0c3ac0458cfbaeee2e63e

SHA1
2424f41e7f421453bdc24b345946fe4af9bfd861

SHA256
5a95ec430ae85c0ecf6363b24f2dedca5ece4b4241fa189adcc722a7dc8ca19f

SHA512
9106638190343c70f7612c81367dd6f5b8572e9715fb5645c9333bb641c82629b8a01602533718f7451c3ffb33683de287030ed26dd7f95c202442ad98d8b080

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
a1b6c6ecb0f0c3ac0458cfbaeee2e63e

SHA1
2424f41e7f421453bdc24b345946fe4af9bfd861

SHA256
5a95ec430ae85c0ecf6363b24f2dedca5ece4b4241fa189adcc722a7dc8ca19f

SHA512
9106638190343c70f7612c81367dd6f5b8572e9715fb5645c9333bb641c82629b8a01602533718f7451c3ffb33683de287030ed26dd7f95c202442ad98d8b080

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
25859d8e2e133d1398d4ac26e0fb05d0

SHA1
2f8eec0abcbfa960002963668a024751e25f1e5e

SHA256
f39826ff8fc99a70362628f2b30a1cbccc469c5d6ce0a221fd3fddeacf1c442c

SHA512
d3b213524a59556ed5041b800f3a6f1e6802ab8ca1114cdac0be99552cba2ef52a50b2a4a492886867d29a56b8dc75ee5920a1b72a6385a34f7e5788b42e7f15

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
25859d8e2e133d1398d4ac26e0fb05d0

SHA1
2f8eec0abcbfa960002963668a024751e25f1e5e

SHA256
f39826ff8fc99a70362628f2b30a1cbccc469c5d6ce0a221fd3fddeacf1c442c

SHA512
d3b213524a59556ed5041b800f3a6f1e6802ab8ca1114cdac0be99552cba2ef52a50b2a4a492886867d29a56b8dc75ee5920a1b72a6385a34f7e5788b42e7f15

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bfbc42241848c2a17c49e6addf992be5

SHA1
de781ababb88072595445855d58fe91be29f082b

SHA256
82b1d2605aad61ded8d274992c58645806cb3dbd3a9c3cc84aaebe90b59e833e

SHA512
487fe8edec9acdca2f6ce9b47ed576090408a64b12a3f789d7271c685c3ee69b29f83ca33126798c936c6e25cb61667929a2aa0f380fca275f5d2791677d8918

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
bfbc42241848c2a17c49e6addf992be5

SHA1
de781ababb88072595445855d58fe91be29f082b

SHA256
82b1d2605aad61ded8d274992c58645806cb3dbd3a9c3cc84aaebe90b59e833e

SHA512
487fe8edec9acdca2f6ce9b47ed576090408a64b12a3f789d7271c685c3ee69b29f83ca33126798c936c6e25cb61667929a2aa0f380fca275f5d2791677d8918

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25edad9786cb057e777e79ce35ae26c1

SHA1
47a5aa7eefbdebab22e0a9558f66851963c487fc

SHA256
4b5a9d8a76dc438785e97a06580f558b5f8e4c89d365bec14b7c48762dbe9f57

SHA512
a2604f6a19b264fa8040bfe217d40a0a3691a7721f80bc9016f8ce09ab5d7ab7cd7d9288ec0053f42b2014173af58ecc7ee3a840edd7f65ec892769bf2bee1ae

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25edad9786cb057e777e79ce35ae26c1

SHA1
47a5aa7eefbdebab22e0a9558f66851963c487fc

SHA256
4b5a9d8a76dc438785e97a06580f558b5f8e4c89d365bec14b7c48762dbe9f57

SHA512
a2604f6a19b264fa8040bfe217d40a0a3691a7721f80bc9016f8ce09ab5d7ab7cd7d9288ec0053f42b2014173af58ecc7ee3a840edd7f65ec892769bf2bee1ae

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
f8de6bdee8182ab0fd30c559e06b490e

SHA1
0258ebe71f14ef299f3942f5df2731998af1e508

SHA256
6091721f9b8e7339c6827b960ac5555b583929c0a9a48e85920e2c633bf386e9

SHA512
fa1459e0968869011e550c672ae7566efb98229aed9be824c5fa5548b730820c246d99a4da1a016dd4531bc392c9ad54f7cec38f4c4cad0b1ee6f946fb4a9e17

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
f8de6bdee8182ab0fd30c559e06b490e

SHA1
0258ebe71f14ef299f3942f5df2731998af1e508

SHA256
6091721f9b8e7339c6827b960ac5555b583929c0a9a48e85920e2c633bf386e9

SHA512
fa1459e0968869011e550c672ae7566efb98229aed9be824c5fa5548b730820c246d99a4da1a016dd4531bc392c9ad54f7cec38f4c4cad0b1ee6f946fb4a9e17

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6055fb7491e0b2d09d7f2c6d9211a1e3

SHA1
6c497e9655b543dd824ebe632375eea8aaa0c2d5

SHA256
10a9535a7344644c0a435025353cb7a815129646886d07ea9216be79680dbd56

SHA512
e2193a8510ebc5a7bd81620b49918a28533f0d4b6a76c4e29e673044035ce7d87694ed12b5b657264aa6661b474523c34fa3ab83fa974e1ce5d6c7f19957db2f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6055fb7491e0b2d09d7f2c6d9211a1e3

SHA1
6c497e9655b543dd824ebe632375eea8aaa0c2d5

SHA256
10a9535a7344644c0a435025353cb7a815129646886d07ea9216be79680dbd56

SHA512
e2193a8510ebc5a7bd81620b49918a28533f0d4b6a76c4e29e673044035ce7d87694ed12b5b657264aa6661b474523c34fa3ab83fa974e1ce5d6c7f19957db2f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ac844c3e8c29e6da06afe556474e0518

SHA1
ef3e6fc492241e8f47bd9682b7bdd28770fc39fa

SHA256
e8e162562f7f0cb234a349cb4fa25ff4aa8374ddcd41a0970588cc4cfde66305

SHA512
e1ce79bfb6dcb3e4bb5706d563997b1e977a0a2015c0a90a8dad191201cf20e1a31c4ad00f994d1d9e33e50aa2cb703f56ccab37669cd3c1ed8bd83f2c80966b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
6f0da201ee2bc09b238d9b60e52eaf9d

SHA1
fff03ac2fb7fd24467e9eb6dee11c6a041d2dbfe

SHA256
0122620c70032da3745f1cb2821a11f84d77151dae4c9a3ade5bdc429d38f9df

SHA512
50ee2b98eebe37da6f5da9e2c8480ab93dc10dd7722c7e3c7df69e60ce90e812bf8f85b7bd7c55b2adf6453c247d6af8d372b2b9e1e7ab620a9110ed2b547264

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9536a06568aee0b7cc6fe8555ef9d1cd

SHA1
4b110e94195bdc784095fd6550586761f6a24f58

SHA256
97e996f38efcf96f4146ef5169261c0928a0c62f20a65d3787b6cdfa1eeb8f8a

SHA512
136c225252b939ca43222746dcd5ea08cff2aae4a2ade11b69da3fb608f687f17dbb32c8133975bed72a17515f1af2f36bc8ee73f9fff0fe55d1d93b5f89d3df

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
9536a06568aee0b7cc6fe8555ef9d1cd

SHA1
4b110e94195bdc784095fd6550586761f6a24f58

SHA256
97e996f38efcf96f4146ef5169261c0928a0c62f20a65d3787b6cdfa1eeb8f8a

SHA512
136c225252b939ca43222746dcd5ea08cff2aae4a2ade11b69da3fb608f687f17dbb32c8133975bed72a17515f1af2f36bc8ee73f9fff0fe55d1d93b5f89d3df

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
973f32a21a0c36a64583a7f1c0836b24

SHA1
a3be530542d75b83d68d02722c6d6898f1b62359

SHA256
56125e919995d1c8a9580892f6715784e749b3e40509017e25d6b139603e5385

SHA512
e6d2363934758475f9b75ec82a48687736e1619dd8c5eef0c04f4064a279c0a533f6f2b73627324fa5f9bee9e90f8661578bd313c6d04c9c3765608ffc47a03a

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
973f32a21a0c36a64583a7f1c0836b24

SHA1
a3be530542d75b83d68d02722c6d6898f1b62359

SHA256
56125e919995d1c8a9580892f6715784e749b3e40509017e25d6b139603e5385

SHA512
e6d2363934758475f9b75ec82a48687736e1619dd8c5eef0c04f4064a279c0a533f6f2b73627324fa5f9bee9e90f8661578bd313c6d04c9c3765608ffc47a03a

Download Submit
\Users\Admin\AppData\Local\Temp\15472481\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\15472481\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5604abfd0707789a1df33fc8725e8776

SHA1
98b08d7de91087b841b38d06c67a54c3064ec6df

SHA256
587063a0cc61d76666e0d1c015ef923db8d8e8f37599d9b9a9cd55234705d599

SHA512
66c66b617ef5ac434f4c0786b11c39e5867af8ed48934100be1efc611e99a7cd9f2aac28284630909dcb67ca61998e2ec1825982704a90efdb0655aacf5e7875

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e77123a9a82a6af8de4586c56d8e797d

SHA1
9251b365dc66f1b8d73c6a7b0a52e588d5d48fcf

SHA256
3dcde80dfb271aa6d4b89406ad01fcfc8d1f431c3c0baa2d5f04e6af880e2179

SHA512
e53ff2bdf73547c595ac8f50cbb253c7ec2e582011580f8f850e835908751ad1e8379e6b06c0e038de7cc93ebbf5c6aef9a4c7cee71dd12830794215488875ef

Download Submit
memory/840-98-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/840-124-0x0000000074901000-0x0000000074903000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads