60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759

Analysis

max time kernel
26s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
Size

72KB
MD5

a22ab899574bf880126e483da56c6bf0
SHA1

e044f05c5539a71fbb49fccf6c17049d298df94b
SHA256

60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759
SHA512

3b39361670fcdc7234e019d4eadeb5b61df5e488af6104b17b128bffbcaa0f40d5ffad431f3c7ef0c4c7f9d3f550eabad60c918de26a297bf56b527354b35d37
SSDEEP

384:06wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oG8:0pQNwC3BESe4Vqth+0V5vKlE3BEJwRrp

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1124	backup.exe
992	backup.exe
840	backup.exe
1732	backup.exe
276	backup.exe
1404	backup.exe
1704	backup.exe
1548	backup.exe
1408	backup.exe
1960	backup.exe
1640	data.exe
1636	backup.exe
1056	backup.exe
1924	backup.exe
1492	backup.exe
1616	backup.exe
112	backup.exe
2036	backup.exe
2016	backup.exe
2000	System Restore.exe
576	System Restore.exe
276	backup.exe
1696	backup.exe
1824	backup.exe
1296	backup.exe
1580	backup.exe
1612	backup.exe
1488	backup.exe
552	backup.exe
1540	backup.exe
752	update.exe
1960	backup.exe
980	backup.exe
776	backup.exe
1268	backup.exe
1360	backup.exe
1536	backup.exe
1972	backup.exe
572	backup.exe
1132	System Restore.exe
1672	backup.exe
1508	backup.exe
1932	update.exe
992	backup.exe
2024	backup.exe
1112	backup.exe
1732	backup.exe
2032	System Restore.exe
1456	backup.exe
560	backup.exe
636	backup.exe
1600	backup.exe
1604	backup.exe
1632	backup.exe
888	backup.exe
672	update.exe
1540	backup.exe
1996	backup.exe
524	backup.exe
1304	backup.exe
972	backup.exe
1504	backup.exe
1984	backup.exe
1636	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1548	backup.exe
1548	backup.exe
1408	backup.exe
1408	backup.exe
1548	backup.exe
1548	backup.exe
1640	data.exe
1640	data.exe
1636	backup.exe
1636	backup.exe
1640	data.exe
1640	data.exe
1924	backup.exe
1924	backup.exe
1492	backup.exe
1492	backup.exe
1492	backup.exe
1492	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
112	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
752	update.exe
752	update.exe
752	update.exe
552	backup.exe
552	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\update.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
1124	backup.exe
992	backup.exe
840	backup.exe
1732	backup.exe
276	backup.exe
1404	backup.exe
1704	backup.exe
1548	backup.exe
1408	backup.exe
1960	backup.exe
1640	data.exe
1636	backup.exe
1056	backup.exe
1924	backup.exe
1492	backup.exe
1616	backup.exe
112	backup.exe
2036	backup.exe
2016	backup.exe
2000	System Restore.exe
576	System Restore.exe
276	backup.exe
1696	backup.exe
1824	backup.exe
1296	backup.exe
1580	backup.exe
1612	backup.exe
1488	backup.exe
552	backup.exe
1540	backup.exe
752	update.exe
1960	backup.exe
980	backup.exe
776	backup.exe
1268	backup.exe
1360	backup.exe
1536	backup.exe
1972	backup.exe
572	backup.exe
1132	System Restore.exe
1672	backup.exe
1508	backup.exe
1932	update.exe
992	backup.exe
2024	backup.exe
1112	backup.exe
1732	backup.exe
2032	System Restore.exe
1456	backup.exe
560	backup.exe
636	backup.exe
1600	backup.exe
1604	backup.exe
1632	backup.exe
888	backup.exe
672	update.exe
1540	backup.exe
1996	backup.exe
524	backup.exe
1304	backup.exe
972	backup.exe
1504	backup.exe
1984	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1124	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	27
PID 1840 wrote to memory of 1124	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	27
PID 1840 wrote to memory of 1124	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	27
PID 1840 wrote to memory of 1124	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	27
PID 1840 wrote to memory of 992	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	28
PID 1840 wrote to memory of 992	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	28
PID 1840 wrote to memory of 992	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	28
PID 1840 wrote to memory of 992	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	28
PID 1840 wrote to memory of 840	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	29
PID 1840 wrote to memory of 840	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	29
PID 1840 wrote to memory of 840	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	29
PID 1840 wrote to memory of 840	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	29
PID 1840 wrote to memory of 1732	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	30
PID 1840 wrote to memory of 1732	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	30
PID 1840 wrote to memory of 1732	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	30
PID 1840 wrote to memory of 1732	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	30
PID 1840 wrote to memory of 276	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	31
PID 1840 wrote to memory of 276	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	31
PID 1840 wrote to memory of 276	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	31
PID 1840 wrote to memory of 276	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	31
PID 1840 wrote to memory of 1404	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	32
PID 1840 wrote to memory of 1404	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	32
PID 1840 wrote to memory of 1404	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	32
PID 1840 wrote to memory of 1404	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	32
PID 1840 wrote to memory of 1704	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	33
PID 1840 wrote to memory of 1704	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	33
PID 1840 wrote to memory of 1704	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	33
PID 1840 wrote to memory of 1704	1840	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe	33
PID 1124 wrote to memory of 1548	1124	backup.exe	34
PID 1124 wrote to memory of 1548	1124	backup.exe	34
PID 1124 wrote to memory of 1548	1124	backup.exe	34
PID 1124 wrote to memory of 1548	1124	backup.exe	34
PID 1548 wrote to memory of 1408	1548	backup.exe	35
PID 1548 wrote to memory of 1408	1548	backup.exe	35
PID 1548 wrote to memory of 1408	1548	backup.exe	35
PID 1548 wrote to memory of 1408	1548	backup.exe	35
PID 1408 wrote to memory of 1960	1408	backup.exe	36
PID 1408 wrote to memory of 1960	1408	backup.exe	36
PID 1408 wrote to memory of 1960	1408	backup.exe	36
PID 1408 wrote to memory of 1960	1408	backup.exe	36
PID 1548 wrote to memory of 1640	1548	backup.exe	37
PID 1548 wrote to memory of 1640	1548	backup.exe	37
PID 1548 wrote to memory of 1640	1548	backup.exe	37
PID 1548 wrote to memory of 1640	1548	backup.exe	37
PID 1640 wrote to memory of 1636	1640	data.exe	38
PID 1640 wrote to memory of 1636	1640	data.exe	38
PID 1640 wrote to memory of 1636	1640	data.exe	38
PID 1640 wrote to memory of 1636	1640	data.exe	38
PID 1636 wrote to memory of 1056	1636	backup.exe	39
PID 1636 wrote to memory of 1056	1636	backup.exe	39
PID 1636 wrote to memory of 1056	1636	backup.exe	39
PID 1636 wrote to memory of 1056	1636	backup.exe	39
PID 1640 wrote to memory of 1924	1640	data.exe	40
PID 1640 wrote to memory of 1924	1640	data.exe	40
PID 1640 wrote to memory of 1924	1640	data.exe	40
PID 1640 wrote to memory of 1924	1640	data.exe	40
PID 1924 wrote to memory of 1492	1924	backup.exe	41
PID 1924 wrote to memory of 1492	1924	backup.exe	41
PID 1924 wrote to memory of 1492	1924	backup.exe	41
PID 1924 wrote to memory of 1492	1924	backup.exe	41
PID 1492 wrote to memory of 1616	1492	backup.exe	42
PID 1492 wrote to memory of 1616	1492	backup.exe	42
PID 1492 wrote to memory of 1616	1492	backup.exe	42
PID 1492 wrote to memory of 1616	1492	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe

C:\Users\Admin\AppData\Local\Temp\60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe
"C:\Users\Admin\AppData\Local\Temp\60d4fbcbd9cad5086a5abf91fa50e44a6e6c1a2d7de191a7d5b61875ca75f759.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840
- C:\Users\Admin\AppData\Local\Temp\613208673\backup.exe
  C:\Users\Admin\AppData\Local\Temp\613208673\backup.exe C:\Users\Admin\AppData\Local\Temp\613208673\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1124
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1548
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1636
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1924
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        
        PID:1136
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1112
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1296
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:832
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1268
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1908
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1652
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:576
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1500
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:552
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1200
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1924
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:872
    - - C:\Program Files\DVD Maker\update.exe
        
        "C:\Program Files\DVD Maker\update.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:992
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1156
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:1480
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2012
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1676
      - C:\Program Files\DVD Maker\it-IT\data.exe
        
        "C:\Program Files\DVD Maker\it-IT\data.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1712
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:520
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1324
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:584
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1208
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1536
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1952
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1272
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1768
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1912
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1560
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:2028
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1760
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        System policy modification
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:928
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:696
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2000
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1168
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2016
      - C:\Program Files (x86)\Google\Policies\data.exe
        
        "C:\Program Files (x86)\Google\Policies\data.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1540
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:788
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1596
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1724
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:636
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1672
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1108
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      PID:1740
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:992
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:840
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:276
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37157b1751551d91f7865c4db4bf64ab

SHA1
8c56ad9ea1d049443e069b5aac1949a7bf5bf79b

SHA256
a5df88f058c6aafc1046d5b8062e50be2f14f1aa0d0f1ea0d0936ca5a7f06a3f

SHA512
ec237d3a24718c1f70c95e353b25051526894d115f77a3a4eead117aecdd89d9a02627a7f589e9e011cbeff957646acd8ba683f678fd9925be3878a9cdcf1748

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7efc3b71b7639637bc476b0ba7c7a0ab

SHA1
e5a9d99051eac9f52bbcbf3651ee6d2b1ab0aeff

SHA256
a348b0331b1ca66255bddad7d9e78d291841595856b993fc0b186c34c6f570be

SHA512
1e897fdeda5243e30b0bc0e239a67f05e510fc6dce64807cf3dff0a59b5876962efac4e2a9da1b9d7cf7b5e590f7061cb0489af703848432acd0f6b3d7eac0fe

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7efc3b71b7639637bc476b0ba7c7a0ab

SHA1
e5a9d99051eac9f52bbcbf3651ee6d2b1ab0aeff

SHA256
a348b0331b1ca66255bddad7d9e78d291841595856b993fc0b186c34c6f570be

SHA512
1e897fdeda5243e30b0bc0e239a67f05e510fc6dce64807cf3dff0a59b5876962efac4e2a9da1b9d7cf7b5e590f7061cb0489af703848432acd0f6b3d7eac0fe

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
c50aa907e480f000a17dd6b7d4e1e3dd

SHA1
e2ce4ee92195214c712cb0042c779af1313bc3d1

SHA256
75d6aeea389b495e8dfeedaf4ba25931763ed14d2a5ba23be9008e5a37794811

SHA512
6818cd6ca12da37d91fefab6976ee291eb2aff1fc76bd954e575c537bbb2129d8ec7ac8651e3839995c34839b6545d435e5fac8a3f1ad2660d0e390e470dbd26

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
c50aa907e480f000a17dd6b7d4e1e3dd

SHA1
e2ce4ee92195214c712cb0042c779af1313bc3d1

SHA256
75d6aeea389b495e8dfeedaf4ba25931763ed14d2a5ba23be9008e5a37794811

SHA512
6818cd6ca12da37d91fefab6976ee291eb2aff1fc76bd954e575c537bbb2129d8ec7ac8651e3839995c34839b6545d435e5fac8a3f1ad2660d0e390e470dbd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\613208673\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\613208673\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
C:\backup.exe

Filesize
72KB

MD5
66d2e323683ba84712ad178157a45096

SHA1
1fdc28a62df821910c2b9c7cdca92cc20ee85a05

SHA256
6714bf378c99d2dc77b6063eea726938d281544f212fcde650357a8cbe8cf202

SHA512
8a8045ce1080fd9b23b6e442b9358d6ae27bc68493861b86df49333df26897ce0ffed95030c2d17a2025a300b8eeb63798761cdbe862b60fa0e90498667ad923

Download Submit
C:\backup.exe

Filesize
72KB

MD5
66d2e323683ba84712ad178157a45096

SHA1
1fdc28a62df821910c2b9c7cdca92cc20ee85a05

SHA256
6714bf378c99d2dc77b6063eea726938d281544f212fcde650357a8cbe8cf202

SHA512
8a8045ce1080fd9b23b6e442b9358d6ae27bc68493861b86df49333df26897ce0ffed95030c2d17a2025a300b8eeb63798761cdbe862b60fa0e90498667ad923

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37157b1751551d91f7865c4db4bf64ab

SHA1
8c56ad9ea1d049443e069b5aac1949a7bf5bf79b

SHA256
a5df88f058c6aafc1046d5b8062e50be2f14f1aa0d0f1ea0d0936ca5a7f06a3f

SHA512
ec237d3a24718c1f70c95e353b25051526894d115f77a3a4eead117aecdd89d9a02627a7f589e9e011cbeff957646acd8ba683f678fd9925be3878a9cdcf1748

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
37157b1751551d91f7865c4db4bf64ab

SHA1
8c56ad9ea1d049443e069b5aac1949a7bf5bf79b

SHA256
a5df88f058c6aafc1046d5b8062e50be2f14f1aa0d0f1ea0d0936ca5a7f06a3f

SHA512
ec237d3a24718c1f70c95e353b25051526894d115f77a3a4eead117aecdd89d9a02627a7f589e9e011cbeff957646acd8ba683f678fd9925be3878a9cdcf1748

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7efc3b71b7639637bc476b0ba7c7a0ab

SHA1
e5a9d99051eac9f52bbcbf3651ee6d2b1ab0aeff

SHA256
a348b0331b1ca66255bddad7d9e78d291841595856b993fc0b186c34c6f570be

SHA512
1e897fdeda5243e30b0bc0e239a67f05e510fc6dce64807cf3dff0a59b5876962efac4e2a9da1b9d7cf7b5e590f7061cb0489af703848432acd0f6b3d7eac0fe

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
7efc3b71b7639637bc476b0ba7c7a0ab

SHA1
e5a9d99051eac9f52bbcbf3651ee6d2b1ab0aeff

SHA256
a348b0331b1ca66255bddad7d9e78d291841595856b993fc0b186c34c6f570be

SHA512
1e897fdeda5243e30b0bc0e239a67f05e510fc6dce64807cf3dff0a59b5876962efac4e2a9da1b9d7cf7b5e590f7061cb0489af703848432acd0f6b3d7eac0fe

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1943eda8fd1f0f31fac8c360fe45e6d5

SHA1
fea5be63c6b8fa2951654d4f6a5f53c3c38e1b75

SHA256
02bfd1f93552c4ec843477abcfaef354298a12e1ce9eef203a21f6cc55875213

SHA512
cea5773acac31af58bd6ee5329722a12814c5e53309265fe3eadbfb4eab78fb1d9bf65f42a09b9c9949d186ff8d6cbd058defe1f916808b0187a4372cb049939

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
bbd695c103c8d97c25f15a33d436d0c1

SHA1
db165dd0197fa8a037ee8f760e6014f032cd58f1

SHA256
a80a8dfd5ddbaef2164706665680db241be3e87b2316ab897151eedbd70d1dee

SHA512
7b203c9ac4c397b0758a97eb8c00ff2a9d9e7d787b176ae1f13d6841fdd6650fb9a57f45aff68276b45a66ddd4e4442158d57e7e4388efa01309eaa32c67a0b1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
66892065c4bb5e8196a0c12744b208c3

SHA1
1fb850ca9e246ce534ca33616677a8a7b47e0503

SHA256
a359bb035a14eee438fe6e52a8041157a527c54831372d3f71307a5af89a50dc

SHA512
d0a4415bd04db5700c1bd5290ef6889ce42bcd172f69dcdd13073755533dbc1ba2b6952f1f436645e39f6b6de9d8cb3c1c963d929b14487f0e943b5633f8a13c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
efa5b4a55e61da7216954eaf1d56aec7

SHA1
beff191fc66e758b8fe028770acd558c6eb7fd5a

SHA256
0738dd34ceb5786241a5786a3111e9598afd10ef9a39a0540f2f7697c2708a5d

SHA512
2fb65ba0e952cbf4f6342b8354d9502a8e40e41d0b526b96a6cbc3fd78e2c97853031e4c21e74c0270d3b25e6f3b1992204ab00fb193d6cb858b469ae490caec

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
c50aa907e480f000a17dd6b7d4e1e3dd

SHA1
e2ce4ee92195214c712cb0042c779af1313bc3d1

SHA256
75d6aeea389b495e8dfeedaf4ba25931763ed14d2a5ba23be9008e5a37794811

SHA512
6818cd6ca12da37d91fefab6976ee291eb2aff1fc76bd954e575c537bbb2129d8ec7ac8651e3839995c34839b6545d435e5fac8a3f1ad2660d0e390e470dbd26

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
c50aa907e480f000a17dd6b7d4e1e3dd

SHA1
e2ce4ee92195214c712cb0042c779af1313bc3d1

SHA256
75d6aeea389b495e8dfeedaf4ba25931763ed14d2a5ba23be9008e5a37794811

SHA512
6818cd6ca12da37d91fefab6976ee291eb2aff1fc76bd954e575c537bbb2129d8ec7ac8651e3839995c34839b6545d435e5fac8a3f1ad2660d0e390e470dbd26

Download Submit
\Users\Admin\AppData\Local\Temp\613208673\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\613208673\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
879066c3924024ec1a2fe675a903c32c

SHA1
30b85785660d8802eef31c1751d5fd8227ed58ed

SHA256
be29d6c0108db323d48ea577add8727b6f6a1f61f31122b08870a458b54ec84a

SHA512
46bce562aa20d7813c29715589432f49e145915b8c8d7c4840c76a94d5a1d9a5b107e750dfc6ca64c297a2d7f549fef56c410f2e829112464603de08c9e59ef1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c2eb2ee6a954e0cfd4bae3f3e943e2eb

SHA1
4e6f2464a4356c3317990bddfcd0ef2497b6c4c4

SHA256
bf72f7ca6f35e9d3af190431faaf7c5844ab42c013cdf0d2be4ea58bb61081a3

SHA512
5d0770a49cc829049719ad2eb7f182a52d203c1bff9cd2fcd907894935988179a896a628c10cb1c0baca23c33714b3eb1663070eb804ef67b05cbd6646761014

Download Submit
memory/1840-100-0x0000000074D01000-0x0000000074D03000-memory.dmp

Filesize
8KB

Download
memory/1840-98-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads