9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8

Analysis

max time kernel
57s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
Size

72KB
MD5

902ed1f10bfdb742fbcc4232e1ba2ab5
SHA1

f3d6ccb473ab824fe7f983ac6d4fcfabf4d8bd0f
SHA256

9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8
SHA512

9bb4fefa715ba62367b55c4f85fc0191cba7c79da175957a86954475ca05de353d010259492aea4838a9d4076a6e382f6e70c2ef34caf31fc44735d6acf259ff
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k7s:teThavEjDWguKU7s

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Executes dropped EXE 55 IoCs

pid	Process
1016	backup.exe
1080	backup.exe
1680	backup.exe
1572	backup.exe
1896	backup.exe
884	System Restore.exe
1880	backup.exe
856	backup.exe
1524	backup.exe
2028	backup.exe
808	backup.exe
1548	backup.exe
1560	backup.exe
1848	backup.exe
1620	backup.exe
988	update.exe
1160	backup.exe
1592	backup.exe
1732	backup.exe
2000	backup.exe
1772	backup.exe
948	backup.exe
1676	backup.exe
1860	backup.exe
1896	backup.exe
1176	backup.exe
1152	backup.exe
1832	update.exe
960	backup.exe
2012	System Restore.exe
1464	backup.exe
816	backup.exe
360	backup.exe
2028	backup.exe
1836	backup.exe
896	backup.exe
1692	backup.exe
1548	backup.exe
1696	backup.exe
1804	backup.exe
280	backup.exe
1944	backup.exe
1100	backup.exe
1604	update.exe
1244	backup.exe
1652	backup.exe
940	backup.exe
1080	backup.exe
1636	backup.exe
1676	backup.exe
1748	update.exe
516	backup.exe
756	backup.exe
1756	backup.exe
1332	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1572	backup.exe
1572	backup.exe
1880	backup.exe
1880	backup.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1572	backup.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1572	backup.exe
808	backup.exe
808	backup.exe
1548	backup.exe
1548	backup.exe
808	backup.exe
808	backup.exe
1848	backup.exe
1848	backup.exe
1620	backup.exe
1572	backup.exe
1572	backup.exe
1160	backup.exe
1160	backup.exe
1592	backup.exe
1592	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1732	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
808	backup.exe
808	backup.exe
1848	backup.exe
1848	backup.exe
1772	backup.exe
1772	backup.exe
988	update.exe
988	update.exe
1848	backup.exe
1848	backup.exe
1860	backup.exe
988	update.exe
1832	update.exe
1832	update.exe
1832	update.exe
1152	backup.exe
1152	backup.exe
1772	backup.exe
1772	backup.exe
2012	System Restore.exe
2012	System Restore.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
1016	backup.exe
1080	backup.exe
1680	backup.exe
1572	backup.exe
1896	backup.exe
884	System Restore.exe
1880	backup.exe
856	backup.exe
1524	backup.exe
2028	backup.exe
808	backup.exe
1548	backup.exe
1560	backup.exe
1848	backup.exe
1620	backup.exe
1160	backup.exe
1592	backup.exe
1732	backup.exe
2000	backup.exe
1772	backup.exe
948	backup.exe
1676	backup.exe
1860	backup.exe
1896	backup.exe
1176	backup.exe
1152	backup.exe
960	backup.exe
988	update.exe
1832	update.exe
2012	System Restore.exe
1464	backup.exe
816	backup.exe
360	backup.exe
2028	backup.exe
896	backup.exe
1692	backup.exe
1548	backup.exe
1696	backup.exe
1804	backup.exe
1944	backup.exe
280	backup.exe
1100	backup.exe
1244	backup.exe
1604	update.exe
1652	backup.exe
1080	backup.exe
940	backup.exe
1676	backup.exe
1636	backup.exe
516	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1016	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	26
PID 1404 wrote to memory of 1016	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	26
PID 1404 wrote to memory of 1016	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	26
PID 1404 wrote to memory of 1016	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	26
PID 1404 wrote to memory of 1080	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	27
PID 1404 wrote to memory of 1080	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	27
PID 1404 wrote to memory of 1080	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	27
PID 1404 wrote to memory of 1080	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	27
PID 1404 wrote to memory of 1680	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	28
PID 1404 wrote to memory of 1680	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	28
PID 1404 wrote to memory of 1680	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	28
PID 1404 wrote to memory of 1680	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	28
PID 1016 wrote to memory of 1572	1016	backup.exe	29
PID 1016 wrote to memory of 1572	1016	backup.exe	29
PID 1016 wrote to memory of 1572	1016	backup.exe	29
PID 1016 wrote to memory of 1572	1016	backup.exe	29
PID 1404 wrote to memory of 1896	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	30
PID 1404 wrote to memory of 1896	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	30
PID 1404 wrote to memory of 1896	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	30
PID 1404 wrote to memory of 1896	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	30
PID 1404 wrote to memory of 884	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	31
PID 1404 wrote to memory of 884	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	31
PID 1404 wrote to memory of 884	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	31
PID 1404 wrote to memory of 884	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	31
PID 1572 wrote to memory of 1880	1572	backup.exe	32
PID 1572 wrote to memory of 1880	1572	backup.exe	32
PID 1572 wrote to memory of 1880	1572	backup.exe	32
PID 1572 wrote to memory of 1880	1572	backup.exe	32
PID 1880 wrote to memory of 856	1880	backup.exe	33
PID 1880 wrote to memory of 856	1880	backup.exe	33
PID 1880 wrote to memory of 856	1880	backup.exe	33
PID 1880 wrote to memory of 856	1880	backup.exe	33
PID 1404 wrote to memory of 1524	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	34
PID 1404 wrote to memory of 1524	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	34
PID 1404 wrote to memory of 1524	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	34
PID 1404 wrote to memory of 1524	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	34
PID 1404 wrote to memory of 2028	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	36
PID 1404 wrote to memory of 2028	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	36
PID 1404 wrote to memory of 2028	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	36
PID 1404 wrote to memory of 2028	1404	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe	36
PID 1572 wrote to memory of 808	1572	backup.exe	35
PID 1572 wrote to memory of 808	1572	backup.exe	35
PID 1572 wrote to memory of 808	1572	backup.exe	35
PID 1572 wrote to memory of 808	1572	backup.exe	35
PID 808 wrote to memory of 1548	808	backup.exe	37
PID 808 wrote to memory of 1548	808	backup.exe	37
PID 808 wrote to memory of 1548	808	backup.exe	37
PID 808 wrote to memory of 1548	808	backup.exe	37
PID 1548 wrote to memory of 1560	1548	backup.exe	38
PID 1548 wrote to memory of 1560	1548	backup.exe	38
PID 1548 wrote to memory of 1560	1548	backup.exe	38
PID 1548 wrote to memory of 1560	1548	backup.exe	38
PID 808 wrote to memory of 1848	808	backup.exe	39
PID 808 wrote to memory of 1848	808	backup.exe	39
PID 808 wrote to memory of 1848	808	backup.exe	39
PID 808 wrote to memory of 1848	808	backup.exe	39
PID 1848 wrote to memory of 1620	1848	backup.exe	40
PID 1848 wrote to memory of 1620	1848	backup.exe	40
PID 1848 wrote to memory of 1620	1848	backup.exe	40
PID 1848 wrote to memory of 1620	1848	backup.exe	40
PID 1620 wrote to memory of 988	1620	backup.exe	41
PID 1620 wrote to memory of 988	1620	backup.exe	41
PID 1620 wrote to memory of 988	1620	backup.exe	41
PID 1620 wrote to memory of 988	1620	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe
"C:\Users\Admin\AppData\Local\Temp\9dae4953cc6aba4171f35a826fbfb0deaf06fac643dccf40c650524d4ef2cfd8.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404
- C:\Users\Admin\AppData\Local\Temp\734086432\backup.exe
  C:\Users\Admin\AppData\Local\Temp\734086432\backup.exe C:\Users\Admin\AppData\Local\Temp\734086432\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1016
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1572
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1880
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:808
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1548
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1848
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:428
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1896
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:268
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1316
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1476
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:516
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1860
      - C:\Program Files\DVD Maker\de-DE\update.exe
        
        "C:\Program Files\DVD Maker\de-DE\update.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        
        PID:1836
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        
        PID:1332
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1804
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1244
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1484
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:516
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:328
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1820
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2032
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1524
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1444
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:896
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2016
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1160
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1220
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1660
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1220
        
        C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:748
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:932
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1824
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1780
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:988
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1088
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1872
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:820
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:824
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:852
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:280
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:676
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1080
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1100
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        
        PID:1748
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1632
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:984
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:884
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c65077871a2c820cd6947471d5eac51e

SHA1
13878a1953d83ce7a8dae89347f68fb32497ec83

SHA256
e8ee2f50fdce0a3863a3d1ee823eaaac52c0df8e6b85d34502e95aebbc19b079

SHA512
5560cf1720ce7569c52a92ebc9c0f400d8c2e8c3f83fb48b3930cffd6702bf4c04231df8603e9c81309002dad30a614e2d4774679a4f61dd6a0d7556a8b86de3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
588a3f3c8f5f576382a1f3b56fb9c328

SHA1
b0b0f6514a2ee4f94668eeb40586480cd04b3572

SHA256
02ea61b698fd5928afa40745719f64850c4cba6d35260d1d7741be5c1a2b25c5

SHA512
4c0bde004b2e04056939edb714a770a9fcf27d7ba5a5b02160ed45adf343e3014b137f0c0446d7a5093fca21eeccc50101633e2472536ad6056742826edc90a7

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
588a3f3c8f5f576382a1f3b56fb9c328

SHA1
b0b0f6514a2ee4f94668eeb40586480cd04b3572

SHA256
02ea61b698fd5928afa40745719f64850c4cba6d35260d1d7741be5c1a2b25c5

SHA512
4c0bde004b2e04056939edb714a770a9fcf27d7ba5a5b02160ed45adf343e3014b137f0c0446d7a5093fca21eeccc50101633e2472536ad6056742826edc90a7

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
b34124d65617465e9d8adb692ff4e96f

SHA1
dd519850c979a7d61d807ab70c8303b7e6aae063

SHA256
17fde1a1f6ca3537588683da2c01f01de450c322e2e0fbd618965feee940f406

SHA512
8a33f32530286915e584bd8623be242fcbaf37121246ba763e119ccebca130a6e8c41618a5b54e0b90ab93e94c0c5b59e5520920131dc2cae92e5019dd3d8682

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
31f7304e2e1c3bc5f62336360e6075e1

SHA1
4ce7d44b8eaa9b244c87e23087ad4ed3a08534cc

SHA256
fa21999a07db0b56ef3f470bd8d0fbc2d668488e1fbfbe9963556ade6b8e9ece

SHA512
d838377aa3cec15253c5b25b0bc28ac20e73bf3d59ba32beb5d8cbe4c10cb92dea5710f51487ccdff1b7dc4f9ca82769a791c02759728b45c98364b4cdc09aee

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
31f7304e2e1c3bc5f62336360e6075e1

SHA1
4ce7d44b8eaa9b244c87e23087ad4ed3a08534cc

SHA256
fa21999a07db0b56ef3f470bd8d0fbc2d668488e1fbfbe9963556ade6b8e9ece

SHA512
d838377aa3cec15253c5b25b0bc28ac20e73bf3d59ba32beb5d8cbe4c10cb92dea5710f51487ccdff1b7dc4f9ca82769a791c02759728b45c98364b4cdc09aee

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f655705eb4d75a5ea227423b2e43a728

SHA1
76c54ccb0c5ac3b3959a06b5d4992fe331826c7a

SHA256
4449163fa779a1cddcc830f10f40ff92659fcd6e4b090df6a35d7f0f05092d8c

SHA512
69d37f12281c2e7c891167b9d8baf9e56ac118d3494faa609d460567d0972d6001b659731f9f8b5da92a0d957c30363874c1996c779c05578888b593a4826155

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f655705eb4d75a5ea227423b2e43a728

SHA1
76c54ccb0c5ac3b3959a06b5d4992fe331826c7a

SHA256
4449163fa779a1cddcc830f10f40ff92659fcd6e4b090df6a35d7f0f05092d8c

SHA512
69d37f12281c2e7c891167b9d8baf9e56ac118d3494faa609d460567d0972d6001b659731f9f8b5da92a0d957c30363874c1996c779c05578888b593a4826155

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
96d9ad846bd8fe76085b1945af896d06

SHA1
af4214b1750115b69d4693e901324b997219fe1b

SHA256
b57a0cf4133a8f2a01ffec8fefeaa260dc2dcecc1f83a1c4b80064d5bdc18de4

SHA512
3ae1f2d59439ed35ef30d60a0fbe0a723e7760bcd56621aa2db56c39a04498e44d4dcd3a5ab0ba582db2b9f170d2a80e933fdc102777a0535d42bf8888c73d3f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a7a8c9484b5a145da77d7fbfea50b1dd

SHA1
ef944b77f7a4f8e17fce04cb035fb34a2e1ffe36

SHA256
a771900b2dfb628d7a82302bcadf03d5a7d95ca79d93dba258bf5c0cea078abe

SHA512
6e1ca678e4b4ef2524c493c2c78ed081b2083921bbcd25e6d951a9387dfdaf7518bdfc2d613cbf3706f27fc33a8a60e93f69c939eb1dcf27d8f03f9d2b42d704

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a7a8c9484b5a145da77d7fbfea50b1dd

SHA1
ef944b77f7a4f8e17fce04cb035fb34a2e1ffe36

SHA256
a771900b2dfb628d7a82302bcadf03d5a7d95ca79d93dba258bf5c0cea078abe

SHA512
6e1ca678e4b4ef2524c493c2c78ed081b2083921bbcd25e6d951a9387dfdaf7518bdfc2d613cbf3706f27fc33a8a60e93f69c939eb1dcf27d8f03f9d2b42d704

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
740d448d2db0374620d59185c39fd01f

SHA1
e8978eb0b15ceca028dad4c46bf84d737d05d865

SHA256
28fc89185f3fb0e5784835f0ed580f80e76c3ea92e91ad7fe65d904517cbb437

SHA512
24f999589f57beaaffe1440dfa19b17c73f23e2b81a21fa02e33d79f2f81ae3a8ad9a3382ddc0b7c874f72ee0a83ded695fbb43a578c5efb3c57e266fbfc543a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
740d448d2db0374620d59185c39fd01f

SHA1
e8978eb0b15ceca028dad4c46bf84d737d05d865

SHA256
28fc89185f3fb0e5784835f0ed580f80e76c3ea92e91ad7fe65d904517cbb437

SHA512
24f999589f57beaaffe1440dfa19b17c73f23e2b81a21fa02e33d79f2f81ae3a8ad9a3382ddc0b7c874f72ee0a83ded695fbb43a578c5efb3c57e266fbfc543a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
b4d52c689bc8d7c6c1edcb8d5580a349

SHA1
7d56e58f98c9a0b4716e563a8ac3dfd0826fc9d6

SHA256
206db9b90e4e0d4eeddaf96f845d9703bd1a7b673a98e7ca982e75bc2f12e60a

SHA512
1f22a109e9623ab45cc215ae66f8389f216477ec683a8c536e726c115792d958992f9e3ce82cc7d5d1729484fc92b549ab92378e671dce47fdc2b08038ab6376

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
b4d52c689bc8d7c6c1edcb8d5580a349

SHA1
7d56e58f98c9a0b4716e563a8ac3dfd0826fc9d6

SHA256
206db9b90e4e0d4eeddaf96f845d9703bd1a7b673a98e7ca982e75bc2f12e60a

SHA512
1f22a109e9623ab45cc215ae66f8389f216477ec683a8c536e726c115792d958992f9e3ce82cc7d5d1729484fc92b549ab92378e671dce47fdc2b08038ab6376

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0390e3e75769a19ab6235e2c8fe0ede4

SHA1
98c8a1ed4ac8f24ae590bd30a05bbf15209ed9d6

SHA256
84f4e074ce0a3339969fe1787cac2e2f22adb53e2a27a747cb01d1ba59e0b41f

SHA512
a988348c2bae23dc92710441c8be2abdfe8a58aaa1a9d0dbcf5af80fbda42eb6b10da2bb385e50cee7e03bae9a3234d7f844e91be8973536fc4d2e6881be519f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0390e3e75769a19ab6235e2c8fe0ede4

SHA1
98c8a1ed4ac8f24ae590bd30a05bbf15209ed9d6

SHA256
84f4e074ce0a3339969fe1787cac2e2f22adb53e2a27a747cb01d1ba59e0b41f

SHA512
a988348c2bae23dc92710441c8be2abdfe8a58aaa1a9d0dbcf5af80fbda42eb6b10da2bb385e50cee7e03bae9a3234d7f844e91be8973536fc4d2e6881be519f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
bf6a5083a46b2246a84f3a3968212570

SHA1
3dd06fe080f31157f5fe33daa3465de7c2b70794

SHA256
bf53b119575a385829dc7054d684d6bf0f94dbe3c2930ea72ee49c9900c505be

SHA512
9ed8a01689196968739dea0ab8c0b86565d063c2811742f9f55d13c63f2bee0bbc1f0b97c2d0db4f5345c69024088893a9a0620edb36ceb0df82876d31e761d5

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
bf6a5083a46b2246a84f3a3968212570

SHA1
3dd06fe080f31157f5fe33daa3465de7c2b70794

SHA256
bf53b119575a385829dc7054d684d6bf0f94dbe3c2930ea72ee49c9900c505be

SHA512
9ed8a01689196968739dea0ab8c0b86565d063c2811742f9f55d13c63f2bee0bbc1f0b97c2d0db4f5345c69024088893a9a0620edb36ceb0df82876d31e761d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\734086432\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\734086432\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
a8b10185c727081897bbebf7616b44c3

SHA1
6fbbc76c34b67ba62f16ba78898ebbbdaf400632

SHA256
b40aab193d97cf2c2bffeadf625de4d46025eb9f77a233e7485494b470bd1a3d

SHA512
84e70640ae9cdb9fe2807dc76c74e5e5d417b2f0ef36cbc24d85efea655e0fe1ce27904fbf77b1eb6541524bc5ca7552d3305f9670f4d79cbf01768f789d4de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
dd2fd03914308e8d8414ab4dd6bdafb4

SHA1
c1f31aee84bc43fe1afb26f8d40cf7e81fb807e3

SHA256
6d41e3cbcc015320928858c38a1b0c1ccc718134dbd2e0d7d62ced352a520903

SHA512
d6fb5dad384efd2e285b7bb62929994abf4fe18c05ebe4ba59e01bc610f67c18f33a61ef73113579f22745f53666ba1cadc3026d6be1a794da23c5626546ab63

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
484cfa0a6dac7e53373891bc2170bc89

SHA1
27e96661d011eb12721fdbc7a9cc6e7f3131e11a

SHA256
50138defd615826f78d8f5489149860f5f0e3b74dd72380a7b05b284c9cd6d07

SHA512
47b0f11a59d99f4cbfb0b01381fa0ae549ea97f077655dc46bcce3da16c75dbe077c307780821e179f6ae3cd724e85d8f00fe4e431dd1aed8204d6af12af5c39

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4dde0ec03b4845647b6c2048aa56d61f

SHA1
7810220616d78a8227f4a592adb6b2e65cf1cf5f

SHA256
41a77c6d47df3d562b6e98c6e3be26717387292c012ddb94c7236c82e3f00d01

SHA512
1d42678068d7949eb746b5de792cbc83519a295336f98ab062e0b0a7dea62d72d1d301cbe937711e2e991140ef033281a6a61c866f541c6d00dd45904a386929

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4dde0ec03b4845647b6c2048aa56d61f

SHA1
7810220616d78a8227f4a592adb6b2e65cf1cf5f

SHA256
41a77c6d47df3d562b6e98c6e3be26717387292c012ddb94c7236c82e3f00d01

SHA512
1d42678068d7949eb746b5de792cbc83519a295336f98ab062e0b0a7dea62d72d1d301cbe937711e2e991140ef033281a6a61c866f541c6d00dd45904a386929

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c65077871a2c820cd6947471d5eac51e

SHA1
13878a1953d83ce7a8dae89347f68fb32497ec83

SHA256
e8ee2f50fdce0a3863a3d1ee823eaaac52c0df8e6b85d34502e95aebbc19b079

SHA512
5560cf1720ce7569c52a92ebc9c0f400d8c2e8c3f83fb48b3930cffd6702bf4c04231df8603e9c81309002dad30a614e2d4774679a4f61dd6a0d7556a8b86de3

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c65077871a2c820cd6947471d5eac51e

SHA1
13878a1953d83ce7a8dae89347f68fb32497ec83

SHA256
e8ee2f50fdce0a3863a3d1ee823eaaac52c0df8e6b85d34502e95aebbc19b079

SHA512
5560cf1720ce7569c52a92ebc9c0f400d8c2e8c3f83fb48b3930cffd6702bf4c04231df8603e9c81309002dad30a614e2d4774679a4f61dd6a0d7556a8b86de3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
588a3f3c8f5f576382a1f3b56fb9c328

SHA1
b0b0f6514a2ee4f94668eeb40586480cd04b3572

SHA256
02ea61b698fd5928afa40745719f64850c4cba6d35260d1d7741be5c1a2b25c5

SHA512
4c0bde004b2e04056939edb714a770a9fcf27d7ba5a5b02160ed45adf343e3014b137f0c0446d7a5093fca21eeccc50101633e2472536ad6056742826edc90a7

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
588a3f3c8f5f576382a1f3b56fb9c328

SHA1
b0b0f6514a2ee4f94668eeb40586480cd04b3572

SHA256
02ea61b698fd5928afa40745719f64850c4cba6d35260d1d7741be5c1a2b25c5

SHA512
4c0bde004b2e04056939edb714a770a9fcf27d7ba5a5b02160ed45adf343e3014b137f0c0446d7a5093fca21eeccc50101633e2472536ad6056742826edc90a7

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
b34124d65617465e9d8adb692ff4e96f

SHA1
dd519850c979a7d61d807ab70c8303b7e6aae063

SHA256
17fde1a1f6ca3537588683da2c01f01de450c322e2e0fbd618965feee940f406

SHA512
8a33f32530286915e584bd8623be242fcbaf37121246ba763e119ccebca130a6e8c41618a5b54e0b90ab93e94c0c5b59e5520920131dc2cae92e5019dd3d8682

Download Submit
\Program Files (x86)\Adobe\Reader 9.0\backup.exe

Filesize
72KB

MD5
b34124d65617465e9d8adb692ff4e96f

SHA1
dd519850c979a7d61d807ab70c8303b7e6aae063

SHA256
17fde1a1f6ca3537588683da2c01f01de450c322e2e0fbd618965feee940f406

SHA512
8a33f32530286915e584bd8623be242fcbaf37121246ba763e119ccebca130a6e8c41618a5b54e0b90ab93e94c0c5b59e5520920131dc2cae92e5019dd3d8682

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
31f7304e2e1c3bc5f62336360e6075e1

SHA1
4ce7d44b8eaa9b244c87e23087ad4ed3a08534cc

SHA256
fa21999a07db0b56ef3f470bd8d0fbc2d668488e1fbfbe9963556ade6b8e9ece

SHA512
d838377aa3cec15253c5b25b0bc28ac20e73bf3d59ba32beb5d8cbe4c10cb92dea5710f51487ccdff1b7dc4f9ca82769a791c02759728b45c98364b4cdc09aee

Download Submit
\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
31f7304e2e1c3bc5f62336360e6075e1

SHA1
4ce7d44b8eaa9b244c87e23087ad4ed3a08534cc

SHA256
fa21999a07db0b56ef3f470bd8d0fbc2d668488e1fbfbe9963556ade6b8e9ece

SHA512
d838377aa3cec15253c5b25b0bc28ac20e73bf3d59ba32beb5d8cbe4c10cb92dea5710f51487ccdff1b7dc4f9ca82769a791c02759728b45c98364b4cdc09aee

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f655705eb4d75a5ea227423b2e43a728

SHA1
76c54ccb0c5ac3b3959a06b5d4992fe331826c7a

SHA256
4449163fa779a1cddcc830f10f40ff92659fcd6e4b090df6a35d7f0f05092d8c

SHA512
69d37f12281c2e7c891167b9d8baf9e56ac118d3494faa609d460567d0972d6001b659731f9f8b5da92a0d957c30363874c1996c779c05578888b593a4826155

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f655705eb4d75a5ea227423b2e43a728

SHA1
76c54ccb0c5ac3b3959a06b5d4992fe331826c7a

SHA256
4449163fa779a1cddcc830f10f40ff92659fcd6e4b090df6a35d7f0f05092d8c

SHA512
69d37f12281c2e7c891167b9d8baf9e56ac118d3494faa609d460567d0972d6001b659731f9f8b5da92a0d957c30363874c1996c779c05578888b593a4826155

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
96d9ad846bd8fe76085b1945af896d06

SHA1
af4214b1750115b69d4693e901324b997219fe1b

SHA256
b57a0cf4133a8f2a01ffec8fefeaa260dc2dcecc1f83a1c4b80064d5bdc18de4

SHA512
3ae1f2d59439ed35ef30d60a0fbe0a723e7760bcd56621aa2db56c39a04498e44d4dcd3a5ab0ba582db2b9f170d2a80e933fdc102777a0535d42bf8888c73d3f

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
96d9ad846bd8fe76085b1945af896d06

SHA1
af4214b1750115b69d4693e901324b997219fe1b

SHA256
b57a0cf4133a8f2a01ffec8fefeaa260dc2dcecc1f83a1c4b80064d5bdc18de4

SHA512
3ae1f2d59439ed35ef30d60a0fbe0a723e7760bcd56621aa2db56c39a04498e44d4dcd3a5ab0ba582db2b9f170d2a80e933fdc102777a0535d42bf8888c73d3f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a7a8c9484b5a145da77d7fbfea50b1dd

SHA1
ef944b77f7a4f8e17fce04cb035fb34a2e1ffe36

SHA256
a771900b2dfb628d7a82302bcadf03d5a7d95ca79d93dba258bf5c0cea078abe

SHA512
6e1ca678e4b4ef2524c493c2c78ed081b2083921bbcd25e6d951a9387dfdaf7518bdfc2d613cbf3706f27fc33a8a60e93f69c939eb1dcf27d8f03f9d2b42d704

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
a7a8c9484b5a145da77d7fbfea50b1dd

SHA1
ef944b77f7a4f8e17fce04cb035fb34a2e1ffe36

SHA256
a771900b2dfb628d7a82302bcadf03d5a7d95ca79d93dba258bf5c0cea078abe

SHA512
6e1ca678e4b4ef2524c493c2c78ed081b2083921bbcd25e6d951a9387dfdaf7518bdfc2d613cbf3706f27fc33a8a60e93f69c939eb1dcf27d8f03f9d2b42d704

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\update.exe

Filesize
72KB

MD5
740d448d2db0374620d59185c39fd01f

SHA1
e8978eb0b15ceca028dad4c46bf84d737d05d865

SHA256
28fc89185f3fb0e5784835f0ed580f80e76c3ea92e91ad7fe65d904517cbb437

SHA512
24f999589f57beaaffe1440dfa19b17c73f23e2b81a21fa02e33d79f2f81ae3a8ad9a3382ddc0b7c874f72ee0a83ded695fbb43a578c5efb3c57e266fbfc543a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
b4d52c689bc8d7c6c1edcb8d5580a349

SHA1
7d56e58f98c9a0b4716e563a8ac3dfd0826fc9d6

SHA256
206db9b90e4e0d4eeddaf96f845d9703bd1a7b673a98e7ca982e75bc2f12e60a

SHA512
1f22a109e9623ab45cc215ae66f8389f216477ec683a8c536e726c115792d958992f9e3ce82cc7d5d1729484fc92b549ab92378e671dce47fdc2b08038ab6376

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
b4d52c689bc8d7c6c1edcb8d5580a349

SHA1
7d56e58f98c9a0b4716e563a8ac3dfd0826fc9d6

SHA256
206db9b90e4e0d4eeddaf96f845d9703bd1a7b673a98e7ca982e75bc2f12e60a

SHA512
1f22a109e9623ab45cc215ae66f8389f216477ec683a8c536e726c115792d958992f9e3ce82cc7d5d1729484fc92b549ab92378e671dce47fdc2b08038ab6376

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0390e3e75769a19ab6235e2c8fe0ede4

SHA1
98c8a1ed4ac8f24ae590bd30a05bbf15209ed9d6

SHA256
84f4e074ce0a3339969fe1787cac2e2f22adb53e2a27a747cb01d1ba59e0b41f

SHA512
a988348c2bae23dc92710441c8be2abdfe8a58aaa1a9d0dbcf5af80fbda42eb6b10da2bb385e50cee7e03bae9a3234d7f844e91be8973536fc4d2e6881be519f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0390e3e75769a19ab6235e2c8fe0ede4

SHA1
98c8a1ed4ac8f24ae590bd30a05bbf15209ed9d6

SHA256
84f4e074ce0a3339969fe1787cac2e2f22adb53e2a27a747cb01d1ba59e0b41f

SHA512
a988348c2bae23dc92710441c8be2abdfe8a58aaa1a9d0dbcf5af80fbda42eb6b10da2bb385e50cee7e03bae9a3234d7f844e91be8973536fc4d2e6881be519f

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
bf6a5083a46b2246a84f3a3968212570

SHA1
3dd06fe080f31157f5fe33daa3465de7c2b70794

SHA256
bf53b119575a385829dc7054d684d6bf0f94dbe3c2930ea72ee49c9900c505be

SHA512
9ed8a01689196968739dea0ab8c0b86565d063c2811742f9f55d13c63f2bee0bbc1f0b97c2d0db4f5345c69024088893a9a0620edb36ceb0df82876d31e761d5

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
bf6a5083a46b2246a84f3a3968212570

SHA1
3dd06fe080f31157f5fe33daa3465de7c2b70794

SHA256
bf53b119575a385829dc7054d684d6bf0f94dbe3c2930ea72ee49c9900c505be

SHA512
9ed8a01689196968739dea0ab8c0b86565d063c2811742f9f55d13c63f2bee0bbc1f0b97c2d0db4f5345c69024088893a9a0620edb36ceb0df82876d31e761d5

Download Submit
\Users\Admin\AppData\Local\Temp\734086432\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
\Users\Admin\AppData\Local\Temp\734086432\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
03efe2ce879676452b5f3e75e0bdd4da

SHA1
a9ea35f43954753b71b3d5d9be6d1b7c56c12047

SHA256
c1e811f8c846fcefc4dab6700eaf75cf0b277d139a0a29078959d50b2f8cd94c

SHA512
a9124385d6a9a267fc3771735c036adccb771d5560921f74979aae3a3d4d5e6a61c0373c71d6fe95210fead57c750c95539d545d72d733945a7eca4d02db29c0

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
a8b10185c727081897bbebf7616b44c3

SHA1
6fbbc76c34b67ba62f16ba78898ebbbdaf400632

SHA256
b40aab193d97cf2c2bffeadf625de4d46025eb9f77a233e7485494b470bd1a3d

SHA512
84e70640ae9cdb9fe2807dc76c74e5e5d417b2f0ef36cbc24d85efea655e0fe1ce27904fbf77b1eb6541524bc5ca7552d3305f9670f4d79cbf01768f789d4de2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
a8b10185c727081897bbebf7616b44c3

SHA1
6fbbc76c34b67ba62f16ba78898ebbbdaf400632

SHA256
b40aab193d97cf2c2bffeadf625de4d46025eb9f77a233e7485494b470bd1a3d

SHA512
84e70640ae9cdb9fe2807dc76c74e5e5d417b2f0ef36cbc24d85efea655e0fe1ce27904fbf77b1eb6541524bc5ca7552d3305f9670f4d79cbf01768f789d4de2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
dd2fd03914308e8d8414ab4dd6bdafb4

SHA1
c1f31aee84bc43fe1afb26f8d40cf7e81fb807e3

SHA256
6d41e3cbcc015320928858c38a1b0c1ccc718134dbd2e0d7d62ced352a520903

SHA512
d6fb5dad384efd2e285b7bb62929994abf4fe18c05ebe4ba59e01bc610f67c18f33a61ef73113579f22745f53666ba1cadc3026d6be1a794da23c5626546ab63

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
dd2fd03914308e8d8414ab4dd6bdafb4

SHA1
c1f31aee84bc43fe1afb26f8d40cf7e81fb807e3

SHA256
6d41e3cbcc015320928858c38a1b0c1ccc718134dbd2e0d7d62ced352a520903

SHA512
d6fb5dad384efd2e285b7bb62929994abf4fe18c05ebe4ba59e01bc610f67c18f33a61ef73113579f22745f53666ba1cadc3026d6be1a794da23c5626546ab63

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ec94f4fe487ea75bdeee4822ee72b43b

SHA1
02c3f8867b5215aea667275f5619f4c9188ae541

SHA256
73750f94464a5ab3c68292a4835652a4c5726e8002b114c6aa24e53b64315f6c

SHA512
3c200aff49e3de24aa07a27225776979fd874c019c0fd209300802588fd9e61b2a6157e02d3547424cc656239ba6d30ba42b773f5360177eb54f532a44674c49

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
484cfa0a6dac7e53373891bc2170bc89

SHA1
27e96661d011eb12721fdbc7a9cc6e7f3131e11a

SHA256
50138defd615826f78d8f5489149860f5f0e3b74dd72380a7b05b284c9cd6d07

SHA512
47b0f11a59d99f4cbfb0b01381fa0ae549ea97f077655dc46bcce3da16c75dbe077c307780821e179f6ae3cd724e85d8f00fe4e431dd1aed8204d6af12af5c39

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
484cfa0a6dac7e53373891bc2170bc89

SHA1
27e96661d011eb12721fdbc7a9cc6e7f3131e11a

SHA256
50138defd615826f78d8f5489149860f5f0e3b74dd72380a7b05b284c9cd6d07

SHA512
47b0f11a59d99f4cbfb0b01381fa0ae549ea97f077655dc46bcce3da16c75dbe077c307780821e179f6ae3cd724e85d8f00fe4e431dd1aed8204d6af12af5c39

Download Submit
memory/1404-123-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads