2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2

Analysis

max time kernel
147s
max time network
60s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
Size

72KB
MD5

91d7e5c7322475ae41c07071afce7a80
SHA1

c6116c6b82a0172dffacb9e40ee6f91bda126c60
SHA256

2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2
SHA512

e5ccd3eeb4ffbac3a2dfa44e49a4d6eeb57032ccb1eaf3f0709aeb7d995d50e6b29a1751dd565451d42d85b5eb66be6d69ff08102a397af6851e342a05bbe5d9
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyv+:HeT7BVwxfvqguKRFAb

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1776	backup.exe
1552	backup.exe
1656	backup.exe
1732	backup.exe
1116	backup.exe
268	backup.exe
432	backup.exe
772	data.exe
868	backup.exe
1584	System Restore.exe
1900	backup.exe
1916	data.exe
1660	backup.exe
1292	backup.exe
1744	backup.exe
1980	backup.exe
1104	backup.exe
2004	backup.exe
1796	backup.exe
1632	backup.exe
628	backup.exe
852	backup.exe
1512	backup.exe
1228	backup.exe
1012	backup.exe
1932	backup.exe
636	backup.exe
1996	backup.exe
1068	backup.exe
1704	backup.exe
1328	backup.exe
1944	backup.exe
692	backup.exe
1584	backup.exe
880	backup.exe
1188	backup.exe
1540	backup.exe
1912	backup.exe
1524	backup.exe
1532	backup.exe
1908	backup.exe
1392	backup.exe
2044	backup.exe
988	backup.exe
752	backup.exe
2028	backup.exe
1280	update.exe
960	data.exe
2024	backup.exe
1412	backup.exe
852	backup.exe
1924	backup.exe
360	backup.exe
288	backup.exe
1800	backup.exe
592	backup.exe
428	backup.exe
432	backup.exe
792	backup.exe
812	backup.exe
1196	backup.exe
868	backup.exe
1612	update.exe
1476	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
772	data.exe
772	data.exe
868	backup.exe
868	backup.exe
772	data.exe
772	data.exe
1900	backup.exe
1900	backup.exe
1916	data.exe
1916	data.exe
1900	backup.exe
772	data.exe
1900	backup.exe
772	data.exe
1292	backup.exe
1744	backup.exe
1744	backup.exe
1292	backup.exe
1104	backup.exe
1104	backup.exe
1980	backup.exe
1980	backup.exe
1796	backup.exe
1796	backup.exe
1104	backup.exe
1104	backup.exe
628	backup.exe
628	backup.exe
628	backup.exe
628	backup.exe
1796	backup.exe
1796	backup.exe
628	backup.exe
628	backup.exe
1228	backup.exe
1228	backup.exe
628	backup.exe
628	backup.exe
628	backup.exe
628	backup.exe
1228	backup.exe
1228	backup.exe
1228	backup.exe
1228	backup.exe
628	backup.exe
628	backup.exe
1228	backup.exe
1228	backup.exe
628	backup.exe
628	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\update.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\data.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Windows\Branding\ShellBrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\update.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
1776	backup.exe
1552	backup.exe
1656	backup.exe
1732	backup.exe
1116	backup.exe
268	backup.exe
432	backup.exe
772	data.exe
868	backup.exe
1584	System Restore.exe
1900	backup.exe
1916	data.exe
1660	backup.exe
1744	backup.exe
1292	backup.exe
1980	backup.exe
1104	backup.exe
2004	backup.exe
1796	backup.exe
1632	backup.exe
628	backup.exe
852	backup.exe
1512	backup.exe
1228	backup.exe
1012	backup.exe
1932	backup.exe
636	backup.exe
1996	backup.exe
1068	backup.exe
1704	backup.exe
1328	backup.exe
1944	backup.exe
692	backup.exe
1584	backup.exe
880	backup.exe
1188	backup.exe
1540	backup.exe
1912	backup.exe
1524	backup.exe
1532	backup.exe
1908	backup.exe
1392	backup.exe
2044	backup.exe
988	backup.exe
752	backup.exe
2028	backup.exe
960	data.exe
2024	backup.exe
1280	update.exe
1412	backup.exe
852	backup.exe
1924	backup.exe
288	backup.exe
360	backup.exe
1800	backup.exe
592	backup.exe
428	backup.exe
432	backup.exe
792	backup.exe
812	backup.exe
1196	backup.exe
868	backup.exe
1612	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1776	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	27
PID 2000 wrote to memory of 1776	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	27
PID 2000 wrote to memory of 1776	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	27
PID 2000 wrote to memory of 1776	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	27
PID 2000 wrote to memory of 1552	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	28
PID 2000 wrote to memory of 1552	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	28
PID 2000 wrote to memory of 1552	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	28
PID 2000 wrote to memory of 1552	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	28
PID 2000 wrote to memory of 1656	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	29
PID 2000 wrote to memory of 1656	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	29
PID 2000 wrote to memory of 1656	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	29
PID 2000 wrote to memory of 1656	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	29
PID 2000 wrote to memory of 1732	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	30
PID 2000 wrote to memory of 1732	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	30
PID 2000 wrote to memory of 1732	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	30
PID 2000 wrote to memory of 1732	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	30
PID 2000 wrote to memory of 1116	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	31
PID 2000 wrote to memory of 1116	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	31
PID 2000 wrote to memory of 1116	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	31
PID 2000 wrote to memory of 1116	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	31
PID 2000 wrote to memory of 268	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	32
PID 2000 wrote to memory of 268	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	32
PID 2000 wrote to memory of 268	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	32
PID 2000 wrote to memory of 268	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	32
PID 2000 wrote to memory of 432	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	33
PID 2000 wrote to memory of 432	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	33
PID 2000 wrote to memory of 432	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	33
PID 2000 wrote to memory of 432	2000	2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe	33
PID 1776 wrote to memory of 772	1776	backup.exe	34
PID 1776 wrote to memory of 772	1776	backup.exe	34
PID 1776 wrote to memory of 772	1776	backup.exe	34
PID 1776 wrote to memory of 772	1776	backup.exe	34
PID 772 wrote to memory of 868	772	data.exe	35
PID 772 wrote to memory of 868	772	data.exe	35
PID 772 wrote to memory of 868	772	data.exe	35
PID 772 wrote to memory of 868	772	data.exe	35
PID 868 wrote to memory of 1584	868	backup.exe	36
PID 868 wrote to memory of 1584	868	backup.exe	36
PID 868 wrote to memory of 1584	868	backup.exe	36
PID 868 wrote to memory of 1584	868	backup.exe	36
PID 772 wrote to memory of 1900	772	data.exe	37
PID 772 wrote to memory of 1900	772	data.exe	37
PID 772 wrote to memory of 1900	772	data.exe	37
PID 772 wrote to memory of 1900	772	data.exe	37
PID 1900 wrote to memory of 1916	1900	backup.exe	38
PID 1900 wrote to memory of 1916	1900	backup.exe	38
PID 1900 wrote to memory of 1916	1900	backup.exe	38
PID 1900 wrote to memory of 1916	1900	backup.exe	38
PID 1916 wrote to memory of 1660	1916	data.exe	39
PID 1916 wrote to memory of 1660	1916	data.exe	39
PID 1916 wrote to memory of 1660	1916	data.exe	39
PID 1916 wrote to memory of 1660	1916	data.exe	39
PID 1900 wrote to memory of 1292	1900	backup.exe	41
PID 1900 wrote to memory of 1292	1900	backup.exe	41
PID 1900 wrote to memory of 1292	1900	backup.exe	41
PID 1900 wrote to memory of 1292	1900	backup.exe	41
PID 772 wrote to memory of 1744	772	data.exe	40
PID 772 wrote to memory of 1744	772	data.exe	40
PID 772 wrote to memory of 1744	772	data.exe	40
PID 772 wrote to memory of 1744	772	data.exe	40
PID 1744 wrote to memory of 1980	1744	backup.exe	42
PID 1744 wrote to memory of 1980	1744	backup.exe	42
PID 1744 wrote to memory of 1980	1744	backup.exe	42
PID 1744 wrote to memory of 1980	1744	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe
"C:\Users\Admin\AppData\Local\Temp\2ddec52b4a857ee067b565bd22cef4d631855b3c9d01e3bfcfd1dea3dca254d2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\2320312743\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2320312743\backup.exe C:\Users\Admin\AppData\Local\Temp\2320312743\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\data.exe
    \data.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:868
    - - C:\PerfLogs\Admin\System Restore.exe
        
        "C:\PerfLogs\Admin\System Restore.exe" C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Program Files\7-Zip\data.exe
        
        "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1292
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        System policy modification
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2252
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1928
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:640
      - C:\Program Files\Common Files\SpeechEngines\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\data.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1996
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:1852
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1728
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1568
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1748
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Program Files\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:468
        
        C:\Program Files\Common Files\System\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1280
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:936
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:1928
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1908
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1512
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:984
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:908
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1192
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:2120
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1600
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:392
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:1772
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        System policy modification
        
        PID:1036
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1300
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        System policy modification
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1320
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:2064
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\data.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\data.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:640
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1624
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2032
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1784
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1632
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2088
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:1276
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1216
      - C:\Program Files\Java\jre7\update.exe
        
        "C:\Program Files\Java\jre7\update.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2080
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2008
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2184
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1980
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        System policy modification
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        System policy modification
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        System policy modification
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        System policy modification
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:908
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1780
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:468
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Drops file in Program Files directory
        
        PID:1220
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1604
      - C:\Program Files (x86)\Common Files\Adobe AIR\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Drops file in Program Files directory
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Drops file in Program Files directory
        
        PID:1920
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1980
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1036
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:868
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1388
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:2096
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2072
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1712
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:432
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2008
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1724
      - C:\Program Files (x86)\Google\Update\update.exe
        
        "C:\Program Files (x86)\Google\Update\update.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        System policy modification
        
        PID:1148
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1544
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1848
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1784
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2192
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1400
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:592
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2128
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1764
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:880
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:640
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2168
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:1848
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:1012
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:868
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1632
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1916
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1264
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1188
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1280
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1924
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1168
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1916
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2160
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1412
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1748
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:700
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1820
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:848
      - C:\Users\Public\Pictures\data.exe
        
        C:\Users\Public\Pictures\data.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1392
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2260
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1200
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:836
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1388
    - - C:\Windows\AppPatch\System Restore.exe
        
        "C:\Windows\AppPatch\System Restore.exe" C:\Windows\AppPatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:1068
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:1980
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:1140
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
      - C:\Windows\AppPatch\de-DE\data.exe
        
        C:\Windows\AppPatch\de-DE\data.exe C:\Windows\AppPatch\de-DE\
        6⤵
        System policy modification
        
        PID:1980
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1560
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:1168
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2112
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:912
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:1912
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:1728
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1596
        
        C:\Windows\assembly\GAC\Extensibility\update.exe
        
        C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2056
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1996
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:2200
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:1220
      - C:\Windows\Branding\Basebrd\System Restore.exe
        
        "C:\Windows\Branding\Basebrd\System Restore.exe" C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:324
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:1476
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:1708
      - C:\Windows\Branding\ShellBrd\backup.exe
        
        C:\Windows\Branding\ShellBrd\backup.exe C:\Windows\Branding\ShellBrd\
        6⤵
        
        PID:1672
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1196
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2176
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
a1ef9154c2672728a8f1ecc9cb417b8d

SHA1
b7e90326344bd766d4bc8b22da8181665c8c6986

SHA256
86f715af5d57350f758d648543e759ec35bab254d97a565f89df5c3a4de35013

SHA512
91ec9f6d2902c541c5fd7dcd480b97815154b80510908cddb9bb101c07c244f9f149ec83d963ae439aae4272aaf1f64e96151427f9e350a1cd43b6bf3ecb7ad7

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f5988a85c5ed65336f985a7e2f83cb2e

SHA1
c4dd84c798b584726cadfef3d4d029439fa42cca

SHA256
8eaefe4eda030978ab6ba295546550c9124d1ddeeb8d81ab18c2d051df6be8f2

SHA512
cec0a9502b92fd72fca01d0ee2f185126a16d1067bdbb4ba55b359c58029fd772dd9b8b648f6fb218ee759be1f328004ffbd8043203af62b40892d93a895c78d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f5988a85c5ed65336f985a7e2f83cb2e

SHA1
c4dd84c798b584726cadfef3d4d029439fa42cca

SHA256
8eaefe4eda030978ab6ba295546550c9124d1ddeeb8d81ab18c2d051df6be8f2

SHA512
cec0a9502b92fd72fca01d0ee2f185126a16d1067bdbb4ba55b359c58029fd772dd9b8b648f6fb218ee759be1f328004ffbd8043203af62b40892d93a895c78d

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
f02d9084a2da6692b3a6feae61ff5b5b

SHA1
e00bb849470322eb0bf3ac525b291e278372f6f7

SHA256
66eb5c6bd7f4efd0b472e7665c48ca444b61426d927c2ddacbc8f9dd3822e74f

SHA512
0c5d546eb687857e9403deab7f752d981d6b31ff30e0f1caf44d3e0f70b540dd24b4a93359464af1e9c5d1ea343db4d338f55cf43ffdb27fe7326e85c7083dd9

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
033b9d321e8fa4c33369d2a93b28d95e

SHA1
ee0aedf68c398c5763b71b0399a72a52d5e611aa

SHA256
127361e422f94290eae2e7164ddd4b3132861efc433ba8a389a3cc1cd1e196db

SHA512
9925f0497e8057e2625eec9421fc7932d27a6149365ad57aa108de5d6f46e7bc0eeb304499c744309d4f38b33ca3b3d388680ab7a10e8a798617fe3a1108653c

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
033b9d321e8fa4c33369d2a93b28d95e

SHA1
ee0aedf68c398c5763b71b0399a72a52d5e611aa

SHA256
127361e422f94290eae2e7164ddd4b3132861efc433ba8a389a3cc1cd1e196db

SHA512
9925f0497e8057e2625eec9421fc7932d27a6149365ad57aa108de5d6f46e7bc0eeb304499c744309d4f38b33ca3b3d388680ab7a10e8a798617fe3a1108653c

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
092f52d144c49b14fd67f1e7c72acd05

SHA1
1f6a9a2b0fc75d1c731727d0c12f89048ec76471

SHA256
bcae492478f948f91219fb28245039e2630411a52b82d576d5284a7ae4a8f303

SHA512
74b8af254f567ac688c608f3214f3bce3e8a30db55fea849fce56814f66bdb8e23bf09b6eb97e33e77512943f6c0fa7906976a95112625d603bf1b84dcd1a450

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
092f52d144c49b14fd67f1e7c72acd05

SHA1
1f6a9a2b0fc75d1c731727d0c12f89048ec76471

SHA256
bcae492478f948f91219fb28245039e2630411a52b82d576d5284a7ae4a8f303

SHA512
74b8af254f567ac688c608f3214f3bce3e8a30db55fea849fce56814f66bdb8e23bf09b6eb97e33e77512943f6c0fa7906976a95112625d603bf1b84dcd1a450

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e04ef5845dbe9ccc6a7cd6a430aecc6c

SHA1
deb60835d8d5f208bf38e55d791b4d7652805725

SHA256
8a9c0e0e412f14859c1139e9163c4fb2120d09aad48a0575838df05df26ba8f8

SHA512
fddb78358598f4b07668329d352ea9649db37f05a01340a91325c7518dd9a932c614746ac09fdab17e09d6892cdab4aa29a754c02a94010705500783750c60fb

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
417748e1ccdefe8b4cb6ac8da607a5ff

SHA1
46454e2368268b579d004c84a3a93019acc0c395

SHA256
9986ed15bc8b3a2cff4b8d9ff037b54d6a62f7a46f93ccec258c1a5a385397a7

SHA512
434ce601a36bfefaecdc12d7637f3a0b851405b4275a420239fc38f00e675d01b8b85118d47862f95c8a479e60b7637b0ca8651942578730df65e9c246b86091

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
417748e1ccdefe8b4cb6ac8da607a5ff

SHA1
46454e2368268b579d004c84a3a93019acc0c395

SHA256
9986ed15bc8b3a2cff4b8d9ff037b54d6a62f7a46f93ccec258c1a5a385397a7

SHA512
434ce601a36bfefaecdc12d7637f3a0b851405b4275a420239fc38f00e675d01b8b85118d47862f95c8a479e60b7637b0ca8651942578730df65e9c246b86091

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
2ebdfff2479b2b58aab58036db01d158

SHA1
f0331eed655edc8ca17df2c249acb90b071b9c32

SHA256
57b34c6e6d45836fc489bcf99ae451d87746bbda0861eb4600eb8870833d124f

SHA512
b5e2d2c94b3a7cc24bda5d9f7d1f58ec062f7888ff406e3f3b22f0e0f2b9727896a0583b3b9b33f5df923f6ff0219bf66b994a6b66e965954f33280e3e966c17

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0192ff53722f46ac67dbe4d0d5f804b8

SHA1
4fd16e8fb98ec01adddc0fd7e64d691be0de8712

SHA256
5d2a01778025f8a7d9bd37b9919efb5e40ae0977064f9dd977529ce64bc82a17

SHA512
bbf96fe77365fbefaec1bad63fc2dac73d36caae180d04ceddda00f32b0bb17b7a723143676505c265c791c425716040965486d6dfe26f82f199d8f240b89025

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0192ff53722f46ac67dbe4d0d5f804b8

SHA1
4fd16e8fb98ec01adddc0fd7e64d691be0de8712

SHA256
5d2a01778025f8a7d9bd37b9919efb5e40ae0977064f9dd977529ce64bc82a17

SHA512
bbf96fe77365fbefaec1bad63fc2dac73d36caae180d04ceddda00f32b0bb17b7a723143676505c265c791c425716040965486d6dfe26f82f199d8f240b89025

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
377c0c5592bf543e9a457a81f1f5de7b

SHA1
22539c6859eac1ed4a8199773cc746df1b698d4c

SHA256
9b26fc634af976c6f99dcb6d9891910b7c894486a7dabdf1fccb91f979725f04

SHA512
800f35aab7a3c8f034341b74b61986c7745ef320dd47ab3434f68a9987cc8d374a729adc6433d0d928a1ff17a5b561f839894430e070f18dfce2eb26663a8430

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
377c0c5592bf543e9a457a81f1f5de7b

SHA1
22539c6859eac1ed4a8199773cc746df1b698d4c

SHA256
9b26fc634af976c6f99dcb6d9891910b7c894486a7dabdf1fccb91f979725f04

SHA512
800f35aab7a3c8f034341b74b61986c7745ef320dd47ab3434f68a9987cc8d374a729adc6433d0d928a1ff17a5b561f839894430e070f18dfce2eb26663a8430

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3d3b5fbf28d7930f0217c2b974af5fd4

SHA1
afd919371526d15e9ea66886b43833beacdc202a

SHA256
4614106c0bdfcf4d4b8f52046746b413fc4629338ce2504ec3dc56ad6368ec78

SHA512
e3f759954eddb2e24b464e86f97822d8134c3e60c35ec788b3d7991ecbd1283ecca2b6bf93d59d522c502a92b9d314119210e2d354656ba4c481f30160080bb4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3d3b5fbf28d7930f0217c2b974af5fd4

SHA1
afd919371526d15e9ea66886b43833beacdc202a

SHA256
4614106c0bdfcf4d4b8f52046746b413fc4629338ce2504ec3dc56ad6368ec78

SHA512
e3f759954eddb2e24b464e86f97822d8134c3e60c35ec788b3d7991ecbd1283ecca2b6bf93d59d522c502a92b9d314119210e2d354656ba4c481f30160080bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2320312743\backup.exe

Filesize
72KB

MD5
18eafc8b4bc534de2dafd9abe5bfeda2

SHA1
23f6a2973921064f6a6f47c4a8695420b0e23eac

SHA256
2245a3121a9ebce92fa8accfefdd91e251d3540530f7265fb1b3544ca0e5bc9a

SHA512
f12a4d9d34704cf4f4efcf86d718f2d94ac2bc0723842e7cd74b49c9ad6be00ce01db0ee5688b444e6cb710a46cfe4b539e0b572116fb5db63b6e0d734372fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2320312743\backup.exe

Filesize
72KB

MD5
18eafc8b4bc534de2dafd9abe5bfeda2

SHA1
23f6a2973921064f6a6f47c4a8695420b0e23eac

SHA256
2245a3121a9ebce92fa8accfefdd91e251d3540530f7265fb1b3544ca0e5bc9a

SHA512
f12a4d9d34704cf4f4efcf86d718f2d94ac2bc0723842e7cd74b49c9ad6be00ce01db0ee5688b444e6cb710a46cfe4b539e0b572116fb5db63b6e0d734372fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
C:\data.exe

Filesize
72KB

MD5
6c347ce2b0ec73c84f75cee7717ec7fa

SHA1
8ef4475bf8d45666f61a0659d25f039abd389c46

SHA256
d902ce712fc3ea9fdaa03341fc124759017774bc8c246cfed01d0583e814cb0e

SHA512
bca777c3015871e3b299d313dc016385f2f33ed601ec26dea633ec47dbc55c04d6cfdeef44f4970c06796f479c4cd6f0b06c6e793517606d57b2a342a43388be

Download Submit
C:\data.exe

Filesize
72KB

MD5
6c347ce2b0ec73c84f75cee7717ec7fa

SHA1
8ef4475bf8d45666f61a0659d25f039abd389c46

SHA256
d902ce712fc3ea9fdaa03341fc124759017774bc8c246cfed01d0583e814cb0e

SHA512
bca777c3015871e3b299d313dc016385f2f33ed601ec26dea633ec47dbc55c04d6cfdeef44f4970c06796f479c4cd6f0b06c6e793517606d57b2a342a43388be

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
a1ef9154c2672728a8f1ecc9cb417b8d

SHA1
b7e90326344bd766d4bc8b22da8181665c8c6986

SHA256
86f715af5d57350f758d648543e759ec35bab254d97a565f89df5c3a4de35013

SHA512
91ec9f6d2902c541c5fd7dcd480b97815154b80510908cddb9bb101c07c244f9f149ec83d963ae439aae4272aaf1f64e96151427f9e350a1cd43b6bf3ecb7ad7

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
a1ef9154c2672728a8f1ecc9cb417b8d

SHA1
b7e90326344bd766d4bc8b22da8181665c8c6986

SHA256
86f715af5d57350f758d648543e759ec35bab254d97a565f89df5c3a4de35013

SHA512
91ec9f6d2902c541c5fd7dcd480b97815154b80510908cddb9bb101c07c244f9f149ec83d963ae439aae4272aaf1f64e96151427f9e350a1cd43b6bf3ecb7ad7

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f5988a85c5ed65336f985a7e2f83cb2e

SHA1
c4dd84c798b584726cadfef3d4d029439fa42cca

SHA256
8eaefe4eda030978ab6ba295546550c9124d1ddeeb8d81ab18c2d051df6be8f2

SHA512
cec0a9502b92fd72fca01d0ee2f185126a16d1067bdbb4ba55b359c58029fd772dd9b8b648f6fb218ee759be1f328004ffbd8043203af62b40892d93a895c78d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f5988a85c5ed65336f985a7e2f83cb2e

SHA1
c4dd84c798b584726cadfef3d4d029439fa42cca

SHA256
8eaefe4eda030978ab6ba295546550c9124d1ddeeb8d81ab18c2d051df6be8f2

SHA512
cec0a9502b92fd72fca01d0ee2f185126a16d1067bdbb4ba55b359c58029fd772dd9b8b648f6fb218ee759be1f328004ffbd8043203af62b40892d93a895c78d

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
f02d9084a2da6692b3a6feae61ff5b5b

SHA1
e00bb849470322eb0bf3ac525b291e278372f6f7

SHA256
66eb5c6bd7f4efd0b472e7665c48ca444b61426d927c2ddacbc8f9dd3822e74f

SHA512
0c5d546eb687857e9403deab7f752d981d6b31ff30e0f1caf44d3e0f70b540dd24b4a93359464af1e9c5d1ea343db4d338f55cf43ffdb27fe7326e85c7083dd9

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
f02d9084a2da6692b3a6feae61ff5b5b

SHA1
e00bb849470322eb0bf3ac525b291e278372f6f7

SHA256
66eb5c6bd7f4efd0b472e7665c48ca444b61426d927c2ddacbc8f9dd3822e74f

SHA512
0c5d546eb687857e9403deab7f752d981d6b31ff30e0f1caf44d3e0f70b540dd24b4a93359464af1e9c5d1ea343db4d338f55cf43ffdb27fe7326e85c7083dd9

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
033b9d321e8fa4c33369d2a93b28d95e

SHA1
ee0aedf68c398c5763b71b0399a72a52d5e611aa

SHA256
127361e422f94290eae2e7164ddd4b3132861efc433ba8a389a3cc1cd1e196db

SHA512
9925f0497e8057e2625eec9421fc7932d27a6149365ad57aa108de5d6f46e7bc0eeb304499c744309d4f38b33ca3b3d388680ab7a10e8a798617fe3a1108653c

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
033b9d321e8fa4c33369d2a93b28d95e

SHA1
ee0aedf68c398c5763b71b0399a72a52d5e611aa

SHA256
127361e422f94290eae2e7164ddd4b3132861efc433ba8a389a3cc1cd1e196db

SHA512
9925f0497e8057e2625eec9421fc7932d27a6149365ad57aa108de5d6f46e7bc0eeb304499c744309d4f38b33ca3b3d388680ab7a10e8a798617fe3a1108653c

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
092f52d144c49b14fd67f1e7c72acd05

SHA1
1f6a9a2b0fc75d1c731727d0c12f89048ec76471

SHA256
bcae492478f948f91219fb28245039e2630411a52b82d576d5284a7ae4a8f303

SHA512
74b8af254f567ac688c608f3214f3bce3e8a30db55fea849fce56814f66bdb8e23bf09b6eb97e33e77512943f6c0fa7906976a95112625d603bf1b84dcd1a450

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
092f52d144c49b14fd67f1e7c72acd05

SHA1
1f6a9a2b0fc75d1c731727d0c12f89048ec76471

SHA256
bcae492478f948f91219fb28245039e2630411a52b82d576d5284a7ae4a8f303

SHA512
74b8af254f567ac688c608f3214f3bce3e8a30db55fea849fce56814f66bdb8e23bf09b6eb97e33e77512943f6c0fa7906976a95112625d603bf1b84dcd1a450

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e04ef5845dbe9ccc6a7cd6a430aecc6c

SHA1
deb60835d8d5f208bf38e55d791b4d7652805725

SHA256
8a9c0e0e412f14859c1139e9163c4fb2120d09aad48a0575838df05df26ba8f8

SHA512
fddb78358598f4b07668329d352ea9649db37f05a01340a91325c7518dd9a932c614746ac09fdab17e09d6892cdab4aa29a754c02a94010705500783750c60fb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e04ef5845dbe9ccc6a7cd6a430aecc6c

SHA1
deb60835d8d5f208bf38e55d791b4d7652805725

SHA256
8a9c0e0e412f14859c1139e9163c4fb2120d09aad48a0575838df05df26ba8f8

SHA512
fddb78358598f4b07668329d352ea9649db37f05a01340a91325c7518dd9a932c614746ac09fdab17e09d6892cdab4aa29a754c02a94010705500783750c60fb

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
417748e1ccdefe8b4cb6ac8da607a5ff

SHA1
46454e2368268b579d004c84a3a93019acc0c395

SHA256
9986ed15bc8b3a2cff4b8d9ff037b54d6a62f7a46f93ccec258c1a5a385397a7

SHA512
434ce601a36bfefaecdc12d7637f3a0b851405b4275a420239fc38f00e675d01b8b85118d47862f95c8a479e60b7637b0ca8651942578730df65e9c246b86091

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
417748e1ccdefe8b4cb6ac8da607a5ff

SHA1
46454e2368268b579d004c84a3a93019acc0c395

SHA256
9986ed15bc8b3a2cff4b8d9ff037b54d6a62f7a46f93ccec258c1a5a385397a7

SHA512
434ce601a36bfefaecdc12d7637f3a0b851405b4275a420239fc38f00e675d01b8b85118d47862f95c8a479e60b7637b0ca8651942578730df65e9c246b86091

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
2ebdfff2479b2b58aab58036db01d158

SHA1
f0331eed655edc8ca17df2c249acb90b071b9c32

SHA256
57b34c6e6d45836fc489bcf99ae451d87746bbda0861eb4600eb8870833d124f

SHA512
b5e2d2c94b3a7cc24bda5d9f7d1f58ec062f7888ff406e3f3b22f0e0f2b9727896a0583b3b9b33f5df923f6ff0219bf66b994a6b66e965954f33280e3e966c17

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
2ebdfff2479b2b58aab58036db01d158

SHA1
f0331eed655edc8ca17df2c249acb90b071b9c32

SHA256
57b34c6e6d45836fc489bcf99ae451d87746bbda0861eb4600eb8870833d124f

SHA512
b5e2d2c94b3a7cc24bda5d9f7d1f58ec062f7888ff406e3f3b22f0e0f2b9727896a0583b3b9b33f5df923f6ff0219bf66b994a6b66e965954f33280e3e966c17

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0192ff53722f46ac67dbe4d0d5f804b8

SHA1
4fd16e8fb98ec01adddc0fd7e64d691be0de8712

SHA256
5d2a01778025f8a7d9bd37b9919efb5e40ae0977064f9dd977529ce64bc82a17

SHA512
bbf96fe77365fbefaec1bad63fc2dac73d36caae180d04ceddda00f32b0bb17b7a723143676505c265c791c425716040965486d6dfe26f82f199d8f240b89025

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0192ff53722f46ac67dbe4d0d5f804b8

SHA1
4fd16e8fb98ec01adddc0fd7e64d691be0de8712

SHA256
5d2a01778025f8a7d9bd37b9919efb5e40ae0977064f9dd977529ce64bc82a17

SHA512
bbf96fe77365fbefaec1bad63fc2dac73d36caae180d04ceddda00f32b0bb17b7a723143676505c265c791c425716040965486d6dfe26f82f199d8f240b89025

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
377c0c5592bf543e9a457a81f1f5de7b

SHA1
22539c6859eac1ed4a8199773cc746df1b698d4c

SHA256
9b26fc634af976c6f99dcb6d9891910b7c894486a7dabdf1fccb91f979725f04

SHA512
800f35aab7a3c8f034341b74b61986c7745ef320dd47ab3434f68a9987cc8d374a729adc6433d0d928a1ff17a5b561f839894430e070f18dfce2eb26663a8430

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
377c0c5592bf543e9a457a81f1f5de7b

SHA1
22539c6859eac1ed4a8199773cc746df1b698d4c

SHA256
9b26fc634af976c6f99dcb6d9891910b7c894486a7dabdf1fccb91f979725f04

SHA512
800f35aab7a3c8f034341b74b61986c7745ef320dd47ab3434f68a9987cc8d374a729adc6433d0d928a1ff17a5b561f839894430e070f18dfce2eb26663a8430

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3d3b5fbf28d7930f0217c2b974af5fd4

SHA1
afd919371526d15e9ea66886b43833beacdc202a

SHA256
4614106c0bdfcf4d4b8f52046746b413fc4629338ce2504ec3dc56ad6368ec78

SHA512
e3f759954eddb2e24b464e86f97822d8134c3e60c35ec788b3d7991ecbd1283ecca2b6bf93d59d522c502a92b9d314119210e2d354656ba4c481f30160080bb4

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3d3b5fbf28d7930f0217c2b974af5fd4

SHA1
afd919371526d15e9ea66886b43833beacdc202a

SHA256
4614106c0bdfcf4d4b8f52046746b413fc4629338ce2504ec3dc56ad6368ec78

SHA512
e3f759954eddb2e24b464e86f97822d8134c3e60c35ec788b3d7991ecbd1283ecca2b6bf93d59d522c502a92b9d314119210e2d354656ba4c481f30160080bb4

Download Submit
\Users\Admin\AppData\Local\Temp\2320312743\backup.exe

Filesize
72KB

MD5
18eafc8b4bc534de2dafd9abe5bfeda2

SHA1
23f6a2973921064f6a6f47c4a8695420b0e23eac

SHA256
2245a3121a9ebce92fa8accfefdd91e251d3540530f7265fb1b3544ca0e5bc9a

SHA512
f12a4d9d34704cf4f4efcf86d718f2d94ac2bc0723842e7cd74b49c9ad6be00ce01db0ee5688b444e6cb710a46cfe4b539e0b572116fb5db63b6e0d734372fef

Download Submit
\Users\Admin\AppData\Local\Temp\2320312743\backup.exe

Filesize
72KB

MD5
18eafc8b4bc534de2dafd9abe5bfeda2

SHA1
23f6a2973921064f6a6f47c4a8695420b0e23eac

SHA256
2245a3121a9ebce92fa8accfefdd91e251d3540530f7265fb1b3544ca0e5bc9a

SHA512
f12a4d9d34704cf4f4efcf86d718f2d94ac2bc0723842e7cd74b49c9ad6be00ce01db0ee5688b444e6cb710a46cfe4b539e0b572116fb5db63b6e0d734372fef

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
f19ef3588875b9381c204c84cf156216

SHA1
40ce950d1214594b97dd9c0f37e95f7d91acaaf1

SHA256
2b0196e149c93174c5f83cdaa8083d10e636dadcf3ba5444a4b3514010160e95

SHA512
c7bcc56812a8df88c0395c73970b6b988a73a54008fb145e73abd641b9bf9b9b374d3c140b4d0e71f05037cc8d575deaf2356831daaf716323a97b09d98a6e2b

Download Submit
memory/2000-98-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2000-125-0x0000000073F11000-0x0000000073F13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads