e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9

Analysis

max time kernel
153s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
Size

72KB
MD5

963a71ab6a20f55b01e817ec7aa82845
SHA1

3c4126ce08d7e204553c49a9c6d398fcfed28ee5
SHA256

e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9
SHA512

475f2708b5adcd7c1899708a3641c9a91375de36f40c0cdeba936879beb7eb2fa0541d0744286bf037c284e50f4bc9dba0f1f09347917e7ad2da271cd02538fd
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGa:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrH

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1472	System Restore.exe
1108	backup.exe
1804	backup.exe
1752	backup.exe
1700	backup.exe
1816	backup.exe
432	backup.exe
1600	backup.exe
272	backup.exe
1800	backup.exe
1164	backup.exe
1976	backup.exe
576	backup.exe
1748	backup.exe
1660	System Restore.exe
1632	backup.exe
1692	backup.exe
1540	backup.exe
1588	backup.exe
696	data.exe
764	backup.exe
888	backup.exe
792	backup.exe
972	backup.exe
948	backup.exe
1956	backup.exe
652	backup.exe
580	backup.exe
544	backup.exe
1084	backup.exe
1924	backup.exe
1876	backup.exe
900	backup.exe
272	backup.exe
924	backup.exe
1960	backup.exe
1680	backup.exe
576	backup.exe
1976	backup.exe
1676	backup.exe
532	backup.exe
360	backup.exe
1632	backup.exe
240	data.exe
1088	backup.exe
1372	backup.exe
1596	backup.exe
1476	backup.exe
1352	backup.exe
1744	backup.exe
1112	backup.exe
956	backup.exe
964	backup.exe
1172	backup.exe
1964	backup.exe
380	backup.exe
1672	backup.exe
1204	backup.exe
1184	backup.exe
976	backup.exe
1616	backup.exe
932	backup.exe
1516	backup.exe
1668	update.exe

Loads dropped DLL 64 IoCs

pid	Process
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1752	backup.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1752	backup.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1816	backup.exe
1816	backup.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1752	backup.exe
1752	backup.exe
1164	backup.exe
1164	backup.exe
1976	backup.exe
1976	backup.exe
1164	backup.exe
1164	backup.exe
1748	backup.exe
1748	backup.exe
1660	System Restore.exe
1660	System Restore.exe
1660	System Restore.exe
1660	System Restore.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1692	backup.exe
1752	backup.exe
1752	backup.exe
1692	backup.exe
1692	backup.exe
948	backup.exe
948	backup.exe
652	backup.exe
652	backup.exe
1692	backup.exe
1692	backup.exe
580	backup.exe
580	backup.exe
1692	backup.exe
1692	backup.exe
1164	backup.exe
1164	backup.exe
1692	backup.exe
1692	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
1472	System Restore.exe
1108	backup.exe
1804	backup.exe
1752	backup.exe
1700	backup.exe
1816	backup.exe
432	backup.exe
1600	backup.exe
1800	backup.exe
272	backup.exe
1164	backup.exe
1976	backup.exe
576	backup.exe
1748	backup.exe
1660	System Restore.exe
1632	backup.exe
1692	backup.exe
1540	backup.exe
1588	backup.exe
696	data.exe
764	backup.exe
888	backup.exe
792	backup.exe
972	backup.exe
948	backup.exe
1956	backup.exe
652	backup.exe
580	backup.exe
544	backup.exe
1084	backup.exe
1924	backup.exe
1876	backup.exe
900	backup.exe
272	backup.exe
924	backup.exe
1960	backup.exe
1680	backup.exe
1976	backup.exe
576	backup.exe
1676	backup.exe
532	backup.exe
360	backup.exe
1632	backup.exe
1088	backup.exe
240	data.exe
1372	backup.exe
1596	backup.exe
1476	backup.exe
1352	backup.exe
1744	backup.exe
1112	backup.exe
956	backup.exe
964	backup.exe
1172	backup.exe
1964	backup.exe
380	backup.exe
1672	backup.exe
1204	backup.exe
1184	backup.exe
976	backup.exe
1616	backup.exe
932	backup.exe
1516	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1472	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	26
PID 1096 wrote to memory of 1472	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	26
PID 1096 wrote to memory of 1472	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	26
PID 1096 wrote to memory of 1472	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	26
PID 1096 wrote to memory of 1108	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	27
PID 1096 wrote to memory of 1108	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	27
PID 1096 wrote to memory of 1108	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	27
PID 1096 wrote to memory of 1108	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	27
PID 1096 wrote to memory of 1804	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	28
PID 1096 wrote to memory of 1804	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	28
PID 1096 wrote to memory of 1804	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	28
PID 1096 wrote to memory of 1804	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	28
PID 1472 wrote to memory of 1752	1472	System Restore.exe	29
PID 1472 wrote to memory of 1752	1472	System Restore.exe	29
PID 1472 wrote to memory of 1752	1472	System Restore.exe	29
PID 1472 wrote to memory of 1752	1472	System Restore.exe	29
PID 1096 wrote to memory of 1700	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	30
PID 1096 wrote to memory of 1700	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	30
PID 1096 wrote to memory of 1700	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	30
PID 1096 wrote to memory of 1700	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	30
PID 1752 wrote to memory of 1816	1752	backup.exe	32
PID 1752 wrote to memory of 1816	1752	backup.exe	32
PID 1752 wrote to memory of 1816	1752	backup.exe	32
PID 1752 wrote to memory of 1816	1752	backup.exe	32
PID 1096 wrote to memory of 432	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	31
PID 1096 wrote to memory of 432	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	31
PID 1096 wrote to memory of 432	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	31
PID 1096 wrote to memory of 432	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	31
PID 1096 wrote to memory of 1600	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	33
PID 1096 wrote to memory of 1600	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	33
PID 1096 wrote to memory of 1600	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	33
PID 1096 wrote to memory of 1600	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	33
PID 1816 wrote to memory of 272	1816	backup.exe	34
PID 1816 wrote to memory of 272	1816	backup.exe	34
PID 1816 wrote to memory of 272	1816	backup.exe	34
PID 1816 wrote to memory of 272	1816	backup.exe	34
PID 1096 wrote to memory of 1800	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	35
PID 1096 wrote to memory of 1800	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	35
PID 1096 wrote to memory of 1800	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	35
PID 1096 wrote to memory of 1800	1096	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	35
PID 1752 wrote to memory of 1164	1752	backup.exe	36
PID 1752 wrote to memory of 1164	1752	backup.exe	36
PID 1752 wrote to memory of 1164	1752	backup.exe	36
PID 1752 wrote to memory of 1164	1752	backup.exe	36
PID 1164 wrote to memory of 1976	1164	backup.exe	37
PID 1164 wrote to memory of 1976	1164	backup.exe	37
PID 1164 wrote to memory of 1976	1164	backup.exe	37
PID 1164 wrote to memory of 1976	1164	backup.exe	37
PID 1976 wrote to memory of 576	1976	backup.exe	38
PID 1976 wrote to memory of 576	1976	backup.exe	38
PID 1976 wrote to memory of 576	1976	backup.exe	38
PID 1976 wrote to memory of 576	1976	backup.exe	38
PID 1164 wrote to memory of 1748	1164	backup.exe	39
PID 1164 wrote to memory of 1748	1164	backup.exe	39
PID 1164 wrote to memory of 1748	1164	backup.exe	39
PID 1164 wrote to memory of 1748	1164	backup.exe	39
PID 1748 wrote to memory of 1660	1748	backup.exe	40
PID 1748 wrote to memory of 1660	1748	backup.exe	40
PID 1748 wrote to memory of 1660	1748	backup.exe	40
PID 1748 wrote to memory of 1660	1748	backup.exe	40
PID 1660 wrote to memory of 1632	1660	System Restore.exe	41
PID 1660 wrote to memory of 1632	1660	System Restore.exe	41
PID 1660 wrote to memory of 1632	1660	System Restore.exe	41
PID 1660 wrote to memory of 1632	1660	System Restore.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
"C:\Users\Admin\AppData\Local\Temp\e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\2592307157\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:272
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Program Files\Common Files\Microsoft Shared\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:2284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:380
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2140
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1372
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:652
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\System\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\es-ES\update.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:856
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1560
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:828
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:800
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1484
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1636
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2432
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
      - C:\Program Files\DVD Maker\es-ES\data.exe
        
        "C:\Program Files\DVD Maker\es-ES\data.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:240
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1540
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1092
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        System policy modification
        
        PID:576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        System policy modification
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:1144
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:692
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        System policy modification
        
        PID:1088
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        System policy modification
        
        PID:1560
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1208
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1956
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2096
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:2192
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2312
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2460
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:364
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System policy modification
        
        PID:1516
        
        C:\Program Files\Google\Chrome\Application\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:1308
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:888
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:632
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1172
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1248
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        System policy modification
        
        PID:900
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:1184
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:452
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:856
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1284
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:968
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1676
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1648
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1536
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:952
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1460
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:688
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2148
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2244
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2368
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2508
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2012
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1780
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1752
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2156
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2252
    - - C:\Program Files\Reference Assemblies\update.exe
        
        "C:\Program Files\Reference Assemblies\update.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2376
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2524
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:948
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:652
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        System policy modification
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        System policy modification
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        System policy modification
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:976
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1120
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:864
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:1740
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1072
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1936
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Drops file in Program Files directory
        
        PID:968
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1212
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1956
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1960
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1860
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:900
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1520
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:364
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:2088
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:2208
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        
        PID:2320
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        
        PID:2472
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1640
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1668
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2072
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1952
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:1168
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1088
      - C:\Program Files (x86)\Google\Temp\update.exe
        
        "C:\Program Files (x86)\Google\Temp\update.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:960
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1248
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1564
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1144
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2132
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2260
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2348
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2516
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1996
    - - C:\Users\Admin\System Restore.exe
        
        "C:\Users\Admin\System Restore.exe" C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:360
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1588
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:992
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:632
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:624
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:696
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
      - C:\Users\Admin\Music\System Restore.exe
        
        "C:\Users\Admin\Music\System Restore.exe" C:\Users\Admin\Music\
        6⤵
        System policy modification
        
        PID:1672
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1676
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
      - C:\Users\Admin\Searches\update.exe
        
        C:\Users\Admin\Searches\update.exe C:\Users\Admin\Searches\
        6⤵
        System policy modification
        
        PID:1168
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:1520
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:1100
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1564
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:1676
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1844
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:856
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:900
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2080
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1768
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1172
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1736
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:860
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:1732
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:2332
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2444
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1936
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2180
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2296
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2452
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
32c5a8499c694844804819707f370b65

SHA1
3faf07c3f5d732519be9c40f7126116b86cdb4bd

SHA256
ca4fc769ef737801ee3904c6fbca4f204b962ce69f04341291186db8af298cba

SHA512
ef8627dd524c483c37bde10d16e412fc065759b2e1e09ab2da9c46f0897fca718af3a3adc760f08eb021ea04b64f08f561f21c55166590bc98e10699e4a82ae3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
01fe16cdae407a30cbb2f92459fd33a7

SHA1
3520e0e00dfc772232ed9f29e048aa9f60721c2c

SHA256
108b4905bed6921e5d62e187c9d79c687886ad61a7802a9006c8c1e2d4f4091e

SHA512
260cb3d37207a8fbe1d8834819f56654915b9d1ca3d0ebb834659851faebffd843ace3e87389bc2c01d6f8828487dcf744001683464d72fcd2459984f3556459

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
01fe16cdae407a30cbb2f92459fd33a7

SHA1
3520e0e00dfc772232ed9f29e048aa9f60721c2c

SHA256
108b4905bed6921e5d62e187c9d79c687886ad61a7802a9006c8c1e2d4f4091e

SHA512
260cb3d37207a8fbe1d8834819f56654915b9d1ca3d0ebb834659851faebffd843ace3e87389bc2c01d6f8828487dcf744001683464d72fcd2459984f3556459

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9fced2b8050a3d375a7fe750e409cc21

SHA1
0f9de9b916df787606d551f4454bc1fce32f9dfe

SHA256
5dcf606c4f0cffb046db3df087a3609962174ab12ee65a85b11f519420bdf88c

SHA512
b0c44e20419154983671b6762038e56eb342271abb1bdb15fce48ec5a566e52dc2616bb2dc0db1e43863a82358683c7ac98439cb87ba0fd8df302776d6e753fb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2bfd3397395c5781c1ced1c845097d0d

SHA1
f5349d2b3e065736057b320a728214b64f8c55dc

SHA256
445ff3282b11ebf0f78a6767ccf018a9b5e347fb041727ebf4b9ef0c451efed3

SHA512
cbe0563ccba04f6368cf13ec990506dfc8accd11ed214c9b327aea7b83daa97a56da95a9735e812ee2c2dbe24e5cc3e82529f533506e95945bfeec77fb62df3a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2bfd3397395c5781c1ced1c845097d0d

SHA1
f5349d2b3e065736057b320a728214b64f8c55dc

SHA256
445ff3282b11ebf0f78a6767ccf018a9b5e347fb041727ebf4b9ef0c451efed3

SHA512
cbe0563ccba04f6368cf13ec990506dfc8accd11ed214c9b327aea7b83daa97a56da95a9735e812ee2c2dbe24e5cc3e82529f533506e95945bfeec77fb62df3a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
d219f232b570b78de03d03ba162beeea

SHA1
2742fece652c5712e5efd0bb83c0bb82d54d7fe0

SHA256
665d54e7cbffc8e528b61ea80a59881fef39512a4e567056be8d47b7ccaa6fd7

SHA512
e85dd94f7b3d37a3a7a8da01ce0ff69a4657ac9fddb3b411e2609c9e873b10b09d275c9986bb8ed09ceeeeada6a0125aa9b538b33cffe45560266327786e0409

Download Submit
C:\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
d219f232b570b78de03d03ba162beeea

SHA1
2742fece652c5712e5efd0bb83c0bb82d54d7fe0

SHA256
665d54e7cbffc8e528b61ea80a59881fef39512a4e567056be8d47b7ccaa6fd7

SHA512
e85dd94f7b3d37a3a7a8da01ce0ff69a4657ac9fddb3b411e2609c9e873b10b09d275c9986bb8ed09ceeeeada6a0125aa9b538b33cffe45560266327786e0409

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1ebc9b97f3a35dc50627d1dd2980a9f2

SHA1
64b5d9c815e5226f223626a197d7edbcdace7fc6

SHA256
b3514c6603a6046cd6517f9e5ec7e1f340facbccb4a4cddad908e71f799dcbb7

SHA512
225fc5add51e9771f7588a75872bd33ce38ca050dd9bef9b5100f4b0c378e0ccbc16168145ba4c08b4cba658d6c9f3ce1bef357d36b16a23a39dcf3d7f1993a1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
025dd37398d8c6557be70ab2efa36abf

SHA1
3aa8b9ab9efb0d13c1faca2900835ec5d5052492

SHA256
5279b7ba85eaf88701a75f5bc0ac35461755d84f72dce73686d0e3f2fa5814a6

SHA512
321b39906b35dadcdac07332ef9a8e111e8eead9e5e142cc3264053ed358c4b19b27deb092be5240dfadaf0a7644d6840a0a9d73ffd70b7896d4f3e2ccfdf2f2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0d63ff9e0151f8e0f2cac687258d51a7

SHA1
e06e0e92ecd63eb6510406f74917286ef3c89211

SHA256
85dabb82da558d224e928bf6d9406ab9a43a869de31438ead1c33e796f598c58

SHA512
b38c5dfe27e9dd695d07486e671c450180069f383381900d6b8be11447edff1f1c0c955d6f76f6a28cef29318cd3309bcdef2e21be13870058f37a81ef33b376

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0d63ff9e0151f8e0f2cac687258d51a7

SHA1
e06e0e92ecd63eb6510406f74917286ef3c89211

SHA256
85dabb82da558d224e928bf6d9406ab9a43a869de31438ead1c33e796f598c58

SHA512
b38c5dfe27e9dd695d07486e671c450180069f383381900d6b8be11447edff1f1c0c955d6f76f6a28cef29318cd3309bcdef2e21be13870058f37a81ef33b376

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8177db9db3db31f6acaca41da8304122

SHA1
a6244270cd0ac0cbb311892d52da52ce00f160e8

SHA256
496421dba9b7790487b8eab90e656d97d6008457b2a2793ee1d34d38cc9162f5

SHA512
aaf3bc124af8693856710818580850e9b3f7c99a387faed55d110be4adb1217028e81e6159240e945575f9159aabdadf170d77a133df4af8fdc52ded95e73e64

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8177db9db3db31f6acaca41da8304122

SHA1
a6244270cd0ac0cbb311892d52da52ce00f160e8

SHA256
496421dba9b7790487b8eab90e656d97d6008457b2a2793ee1d34d38cc9162f5

SHA512
aaf3bc124af8693856710818580850e9b3f7c99a387faed55d110be4adb1217028e81e6159240e945575f9159aabdadf170d77a133df4af8fdc52ded95e73e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b4265fe45036296115959b47107f7f09

SHA1
2d0613d792a00b12a7d986c477731f66cb490702

SHA256
b221a4d524fda7788056aec4e03b4d118b62a4d89bdb5ac8ddfa7523cb084477

SHA512
68b0b2f4099ea79d3d7e71b500a4cdff7e5884e785e78bed5a2fc8833b0de41d4d2a80d723c964de533875edb56fc6553cdce597c4a2fd3cb42f8542a1cf2784

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0df59637c40adf1318643bb93e53027

SHA1
ee905d596b82201d0afb1ce27cd6f4a2b883d6bd

SHA256
9fd9ade340f1cc91e4bbc11c5390f1080b70f905aa0bb749e6b1dbac7e25bbe9

SHA512
df4eb41640965ef476171c8276a20dee2213dfb7d4a6617c00d8191df17b04380159848a5a8ba6b1c397f9642ebfdc0259671b3fda89091d1c114233d6578382

Download Submit
C:\backup.exe

Filesize
72KB

MD5
81dce04074a3c8981a560ae266c61e81

SHA1
c874ec0352328f5b758022216d6c650b09f4ad6c

SHA256
ce0a916b30a2068be37edcf7e02e6ffaafc1503883fc6704992ae194775c010d

SHA512
69607badd5ba597972421ce9fc7d9f31d8c57e4ecebfdfdd82ee6d7e05cbf164d417566768d66bfe8237df6c92fde09354eeb1866ef602f188a713be8448af23

Download Submit
C:\backup.exe

Filesize
72KB

MD5
81dce04074a3c8981a560ae266c61e81

SHA1
c874ec0352328f5b758022216d6c650b09f4ad6c

SHA256
ce0a916b30a2068be37edcf7e02e6ffaafc1503883fc6704992ae194775c010d

SHA512
69607badd5ba597972421ce9fc7d9f31d8c57e4ecebfdfdd82ee6d7e05cbf164d417566768d66bfe8237df6c92fde09354eeb1866ef602f188a713be8448af23

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
32c5a8499c694844804819707f370b65

SHA1
3faf07c3f5d732519be9c40f7126116b86cdb4bd

SHA256
ca4fc769ef737801ee3904c6fbca4f204b962ce69f04341291186db8af298cba

SHA512
ef8627dd524c483c37bde10d16e412fc065759b2e1e09ab2da9c46f0897fca718af3a3adc760f08eb021ea04b64f08f561f21c55166590bc98e10699e4a82ae3

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
32c5a8499c694844804819707f370b65

SHA1
3faf07c3f5d732519be9c40f7126116b86cdb4bd

SHA256
ca4fc769ef737801ee3904c6fbca4f204b962ce69f04341291186db8af298cba

SHA512
ef8627dd524c483c37bde10d16e412fc065759b2e1e09ab2da9c46f0897fca718af3a3adc760f08eb021ea04b64f08f561f21c55166590bc98e10699e4a82ae3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
01fe16cdae407a30cbb2f92459fd33a7

SHA1
3520e0e00dfc772232ed9f29e048aa9f60721c2c

SHA256
108b4905bed6921e5d62e187c9d79c687886ad61a7802a9006c8c1e2d4f4091e

SHA512
260cb3d37207a8fbe1d8834819f56654915b9d1ca3d0ebb834659851faebffd843ace3e87389bc2c01d6f8828487dcf744001683464d72fcd2459984f3556459

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
01fe16cdae407a30cbb2f92459fd33a7

SHA1
3520e0e00dfc772232ed9f29e048aa9f60721c2c

SHA256
108b4905bed6921e5d62e187c9d79c687886ad61a7802a9006c8c1e2d4f4091e

SHA512
260cb3d37207a8fbe1d8834819f56654915b9d1ca3d0ebb834659851faebffd843ace3e87389bc2c01d6f8828487dcf744001683464d72fcd2459984f3556459

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9fced2b8050a3d375a7fe750e409cc21

SHA1
0f9de9b916df787606d551f4454bc1fce32f9dfe

SHA256
5dcf606c4f0cffb046db3df087a3609962174ab12ee65a85b11f519420bdf88c

SHA512
b0c44e20419154983671b6762038e56eb342271abb1bdb15fce48ec5a566e52dc2616bb2dc0db1e43863a82358683c7ac98439cb87ba0fd8df302776d6e753fb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9fced2b8050a3d375a7fe750e409cc21

SHA1
0f9de9b916df787606d551f4454bc1fce32f9dfe

SHA256
5dcf606c4f0cffb046db3df087a3609962174ab12ee65a85b11f519420bdf88c

SHA512
b0c44e20419154983671b6762038e56eb342271abb1bdb15fce48ec5a566e52dc2616bb2dc0db1e43863a82358683c7ac98439cb87ba0fd8df302776d6e753fb

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2bfd3397395c5781c1ced1c845097d0d

SHA1
f5349d2b3e065736057b320a728214b64f8c55dc

SHA256
445ff3282b11ebf0f78a6767ccf018a9b5e347fb041727ebf4b9ef0c451efed3

SHA512
cbe0563ccba04f6368cf13ec990506dfc8accd11ed214c9b327aea7b83daa97a56da95a9735e812ee2c2dbe24e5cc3e82529f533506e95945bfeec77fb62df3a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2bfd3397395c5781c1ced1c845097d0d

SHA1
f5349d2b3e065736057b320a728214b64f8c55dc

SHA256
445ff3282b11ebf0f78a6767ccf018a9b5e347fb041727ebf4b9ef0c451efed3

SHA512
cbe0563ccba04f6368cf13ec990506dfc8accd11ed214c9b327aea7b83daa97a56da95a9735e812ee2c2dbe24e5cc3e82529f533506e95945bfeec77fb62df3a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
d219f232b570b78de03d03ba162beeea

SHA1
2742fece652c5712e5efd0bb83c0bb82d54d7fe0

SHA256
665d54e7cbffc8e528b61ea80a59881fef39512a4e567056be8d47b7ccaa6fd7

SHA512
e85dd94f7b3d37a3a7a8da01ce0ff69a4657ac9fddb3b411e2609c9e873b10b09d275c9986bb8ed09ceeeeada6a0125aa9b538b33cffe45560266327786e0409

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
d219f232b570b78de03d03ba162beeea

SHA1
2742fece652c5712e5efd0bb83c0bb82d54d7fe0

SHA256
665d54e7cbffc8e528b61ea80a59881fef39512a4e567056be8d47b7ccaa6fd7

SHA512
e85dd94f7b3d37a3a7a8da01ce0ff69a4657ac9fddb3b411e2609c9e873b10b09d275c9986bb8ed09ceeeeada6a0125aa9b538b33cffe45560266327786e0409

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1ebc9b97f3a35dc50627d1dd2980a9f2

SHA1
64b5d9c815e5226f223626a197d7edbcdace7fc6

SHA256
b3514c6603a6046cd6517f9e5ec7e1f340facbccb4a4cddad908e71f799dcbb7

SHA512
225fc5add51e9771f7588a75872bd33ce38ca050dd9bef9b5100f4b0c378e0ccbc16168145ba4c08b4cba658d6c9f3ce1bef357d36b16a23a39dcf3d7f1993a1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1ebc9b97f3a35dc50627d1dd2980a9f2

SHA1
64b5d9c815e5226f223626a197d7edbcdace7fc6

SHA256
b3514c6603a6046cd6517f9e5ec7e1f340facbccb4a4cddad908e71f799dcbb7

SHA512
225fc5add51e9771f7588a75872bd33ce38ca050dd9bef9b5100f4b0c378e0ccbc16168145ba4c08b4cba658d6c9f3ce1bef357d36b16a23a39dcf3d7f1993a1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
aa5267da1b137cdfcc36e549c2da3cbd

SHA1
967b77388aca50b55e4cf4178c2c5a1c289e73f8

SHA256
448de59bd840b6dc1ae1aa42860e6ef5a1d7cc76b016f92d4702ee7e289e5b5d

SHA512
7c812361d6364ad057db5261874be5ac75d010207f73f8c6de3f5d80ed5d80553d91bdb3212b23ee998e935422e7369ae4d4c9dde271ddbc96fa0682d724ae6a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
025dd37398d8c6557be70ab2efa36abf

SHA1
3aa8b9ab9efb0d13c1faca2900835ec5d5052492

SHA256
5279b7ba85eaf88701a75f5bc0ac35461755d84f72dce73686d0e3f2fa5814a6

SHA512
321b39906b35dadcdac07332ef9a8e111e8eead9e5e142cc3264053ed358c4b19b27deb092be5240dfadaf0a7644d6840a0a9d73ffd70b7896d4f3e2ccfdf2f2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
025dd37398d8c6557be70ab2efa36abf

SHA1
3aa8b9ab9efb0d13c1faca2900835ec5d5052492

SHA256
5279b7ba85eaf88701a75f5bc0ac35461755d84f72dce73686d0e3f2fa5814a6

SHA512
321b39906b35dadcdac07332ef9a8e111e8eead9e5e142cc3264053ed358c4b19b27deb092be5240dfadaf0a7644d6840a0a9d73ffd70b7896d4f3e2ccfdf2f2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe

Filesize
72KB

MD5
025dd37398d8c6557be70ab2efa36abf

SHA1
3aa8b9ab9efb0d13c1faca2900835ec5d5052492

SHA256
5279b7ba85eaf88701a75f5bc0ac35461755d84f72dce73686d0e3f2fa5814a6

SHA512
321b39906b35dadcdac07332ef9a8e111e8eead9e5e142cc3264053ed358c4b19b27deb092be5240dfadaf0a7644d6840a0a9d73ffd70b7896d4f3e2ccfdf2f2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0d63ff9e0151f8e0f2cac687258d51a7

SHA1
e06e0e92ecd63eb6510406f74917286ef3c89211

SHA256
85dabb82da558d224e928bf6d9406ab9a43a869de31438ead1c33e796f598c58

SHA512
b38c5dfe27e9dd695d07486e671c450180069f383381900d6b8be11447edff1f1c0c955d6f76f6a28cef29318cd3309bcdef2e21be13870058f37a81ef33b376

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0d63ff9e0151f8e0f2cac687258d51a7

SHA1
e06e0e92ecd63eb6510406f74917286ef3c89211

SHA256
85dabb82da558d224e928bf6d9406ab9a43a869de31438ead1c33e796f598c58

SHA512
b38c5dfe27e9dd695d07486e671c450180069f383381900d6b8be11447edff1f1c0c955d6f76f6a28cef29318cd3309bcdef2e21be13870058f37a81ef33b376

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
8177db9db3db31f6acaca41da8304122

SHA1
a6244270cd0ac0cbb311892d52da52ce00f160e8

SHA256
496421dba9b7790487b8eab90e656d97d6008457b2a2793ee1d34d38cc9162f5

SHA512
aaf3bc124af8693856710818580850e9b3f7c99a387faed55d110be4adb1217028e81e6159240e945575f9159aabdadf170d77a133df4af8fdc52ded95e73e64

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
8177db9db3db31f6acaca41da8304122

SHA1
a6244270cd0ac0cbb311892d52da52ce00f160e8

SHA256
496421dba9b7790487b8eab90e656d97d6008457b2a2793ee1d34d38cc9162f5

SHA512
aaf3bc124af8693856710818580850e9b3f7c99a387faed55d110be4adb1217028e81e6159240e945575f9159aabdadf170d77a133df4af8fdc52ded95e73e64

Download Submit
\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
\Users\Admin\AppData\Local\Temp\2592307157\System Restore.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9ca531d87faffca23bb7b908471f8ad3

SHA1
0d85a651972013bd5a411ffb8b69ac4458044ca2

SHA256
c52c070a3af1804d6ec97e7e5a85b636bfbdb32406bb53a42565bf6d8482cd94

SHA512
3b40252ba33625a67bf3406cc224f3861a07c38c0b4c14497cc087fa8701f7ad1c491a03114e8250daac56becf9cf3354b69ecec25cd9dc510a220ae894c2abc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b4265fe45036296115959b47107f7f09

SHA1
2d0613d792a00b12a7d986c477731f66cb490702

SHA256
b221a4d524fda7788056aec4e03b4d118b62a4d89bdb5ac8ddfa7523cb084477

SHA512
68b0b2f4099ea79d3d7e71b500a4cdff7e5884e785e78bed5a2fc8833b0de41d4d2a80d723c964de533875edb56fc6553cdce597c4a2fd3cb42f8542a1cf2784

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b4265fe45036296115959b47107f7f09

SHA1
2d0613d792a00b12a7d986c477731f66cb490702

SHA256
b221a4d524fda7788056aec4e03b4d118b62a4d89bdb5ac8ddfa7523cb084477

SHA512
68b0b2f4099ea79d3d7e71b500a4cdff7e5884e785e78bed5a2fc8833b0de41d4d2a80d723c964de533875edb56fc6553cdce597c4a2fd3cb42f8542a1cf2784

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5ff5883acdbd6397283b29bed2b43005

SHA1
4eae796e6998569d7aead70c830c912ee4bb1aae

SHA256
e42ef01773f07e574089d27e35dd889185849da7cc0bed8f0def209bd09ddf9c

SHA512
e78e573e4b7fabbe7c35b2ca9e05437cd818d4dadf8d6910a3a039cbb67c85ebc99f75863e622512fa3af7f0c13e438a82d982439ffc3a6e95f496df6641a0b8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0df59637c40adf1318643bb93e53027

SHA1
ee905d596b82201d0afb1ce27cd6f4a2b883d6bd

SHA256
9fd9ade340f1cc91e4bbc11c5390f1080b70f905aa0bb749e6b1dbac7e25bbe9

SHA512
df4eb41640965ef476171c8276a20dee2213dfb7d4a6617c00d8191df17b04380159848a5a8ba6b1c397f9642ebfdc0259671b3fda89091d1c114233d6578382

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0df59637c40adf1318643bb93e53027

SHA1
ee905d596b82201d0afb1ce27cd6f4a2b883d6bd

SHA256
9fd9ade340f1cc91e4bbc11c5390f1080b70f905aa0bb749e6b1dbac7e25bbe9

SHA512
df4eb41640965ef476171c8276a20dee2213dfb7d4a6617c00d8191df17b04380159848a5a8ba6b1c397f9642ebfdc0259671b3fda89091d1c114233d6578382

Download Submit
memory/1096-125-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads