9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d

Analysis

max time kernel
41s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
Size

72KB
MD5

0886364b09a321e060deacbc9b6ee18f
SHA1

f6371eef7d89ea2c832f291828432aa2f9e45a1e
SHA256

9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d
SHA512

b0101db94effaac837e2c03ba36be65b3ee39c1734b62925bc5a285684f9c1a0bb339ba27c22466931d986918b8539c24251d5a07641fbdf67676c42a1e098cd
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k2Te:teThavEjDWguKUd

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
896	backup.exe
2000	backup.exe
1500	backup.exe
1292	backup.exe
824	backup.exe
1264	System Restore.exe
268	backup.exe
1924	backup.exe
1780	backup.exe
392	backup.exe
1868	backup.exe
1064	backup.exe
1144	backup.exe
1800	backup.exe
628	update.exe
1532	backup.exe
948	backup.exe
1164	backup.exe
1324	backup.exe
1576	backup.exe
2004	data.exe
1252	backup.exe
780	backup.exe
1368	backup.exe
624	backup.exe
1684	backup.exe
688	backup.exe
1528	backup.exe
1232	backup.exe
1348	backup.exe
1736	backup.exe
340	backup.exe
300	backup.exe
1100	backup.exe
1652	backup.exe
240	data.exe
1012	backup.exe
964	backup.exe
1196	backup.exe
1520	backup.exe
1392	backup.exe
844	backup.exe
1604	backup.exe
1336	backup.exe
832	System Restore.exe
1536	backup.exe
1264	backup.exe
856	backup.exe
108	backup.exe
468	backup.exe
1724	backup.exe
1004	backup.exe
392	backup.exe
1668	backup.exe
1544	backup.exe
1064	data.exe
1480	backup.exe
1880	backup.exe
892	backup.exe
968	backup.exe
1108	backup.exe
2000	backup.exe
1456	backup.exe
1416	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
824	backup.exe
824	backup.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
268	backup.exe
268	backup.exe
824	backup.exe
824	backup.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
1868	backup.exe
1868	backup.exe
1064	backup.exe
1064	backup.exe
1868	backup.exe
1868	backup.exe
1800	backup.exe
628	update.exe
628	update.exe
628	update.exe
628	update.exe
628	update.exe
1532	backup.exe
1532	backup.exe
1532	backup.exe
628	update.exe
628	update.exe
948	backup.exe
948	backup.exe
948	backup.exe
948	backup.exe
948	backup.exe
1164	backup.exe
1164	backup.exe
1164	backup.exe
948	backup.exe
948	backup.exe
1324	backup.exe
1324	backup.exe
1324	backup.exe
948	backup.exe
948	backup.exe
1576	backup.exe
1576	backup.exe
1576	backup.exe
948	backup.exe
948	backup.exe
2004	data.exe
2004	data.exe
2004	data.exe
948	backup.exe
948	backup.exe
1252	backup.exe
1252	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	data.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
896	backup.exe
2000	backup.exe
1500	backup.exe
1292	backup.exe
824	backup.exe
1264	System Restore.exe
268	backup.exe
1924	backup.exe
1780	backup.exe
392	backup.exe
1868	backup.exe
1064	backup.exe
1144	backup.exe
1800	backup.exe
628	update.exe
1532	backup.exe
948	backup.exe
1164	backup.exe
1324	backup.exe
1576	backup.exe
2004	data.exe
1252	backup.exe
780	backup.exe
1368	backup.exe
624	backup.exe
1684	backup.exe
688	backup.exe
1528	backup.exe
1232	backup.exe
1348	backup.exe
1736	backup.exe
340	backup.exe
300	backup.exe
1100	backup.exe
1652	backup.exe
240	data.exe
1012	backup.exe
964	backup.exe
1196	backup.exe
1520	backup.exe
1392	backup.exe
844	backup.exe
1604	backup.exe
1336	backup.exe
832	System Restore.exe
1536	backup.exe
1264	backup.exe
856	backup.exe
108	backup.exe
468	backup.exe
1724	backup.exe
1004	backup.exe
392	backup.exe
1668	backup.exe
1544	backup.exe
1064	data.exe
1480	backup.exe
1880	backup.exe
892	backup.exe
968	backup.exe
1108	backup.exe
2000	backup.exe
1456	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 896	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	28
PID 1932 wrote to memory of 896	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	28
PID 1932 wrote to memory of 896	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	28
PID 1932 wrote to memory of 896	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	28
PID 1932 wrote to memory of 2000	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	29
PID 1932 wrote to memory of 2000	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	29
PID 1932 wrote to memory of 2000	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	29
PID 1932 wrote to memory of 2000	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	29
PID 1932 wrote to memory of 1500	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	30
PID 1932 wrote to memory of 1500	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	30
PID 1932 wrote to memory of 1500	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	30
PID 1932 wrote to memory of 1500	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	30
PID 1932 wrote to memory of 1292	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	31
PID 1932 wrote to memory of 1292	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	31
PID 1932 wrote to memory of 1292	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	31
PID 1932 wrote to memory of 1292	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	31
PID 896 wrote to memory of 824	896	backup.exe	32
PID 896 wrote to memory of 824	896	backup.exe	32
PID 896 wrote to memory of 824	896	backup.exe	32
PID 896 wrote to memory of 824	896	backup.exe	32
PID 1932 wrote to memory of 1264	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	33
PID 1932 wrote to memory of 1264	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	33
PID 1932 wrote to memory of 1264	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	33
PID 1932 wrote to memory of 1264	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	33
PID 824 wrote to memory of 268	824	backup.exe	34
PID 824 wrote to memory of 268	824	backup.exe	34
PID 824 wrote to memory of 268	824	backup.exe	34
PID 824 wrote to memory of 268	824	backup.exe	34
PID 1932 wrote to memory of 1924	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	35
PID 1932 wrote to memory of 1924	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	35
PID 1932 wrote to memory of 1924	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	35
PID 1932 wrote to memory of 1924	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	35
PID 268 wrote to memory of 1780	268	backup.exe	36
PID 268 wrote to memory of 1780	268	backup.exe	36
PID 268 wrote to memory of 1780	268	backup.exe	36
PID 268 wrote to memory of 1780	268	backup.exe	36
PID 824 wrote to memory of 1868	824	backup.exe	38
PID 824 wrote to memory of 1868	824	backup.exe	38
PID 824 wrote to memory of 1868	824	backup.exe	38
PID 824 wrote to memory of 1868	824	backup.exe	38
PID 1932 wrote to memory of 392	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	37
PID 1932 wrote to memory of 392	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	37
PID 1932 wrote to memory of 392	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	37
PID 1932 wrote to memory of 392	1932	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe	37
PID 1868 wrote to memory of 1064	1868	backup.exe	39
PID 1868 wrote to memory of 1064	1868	backup.exe	39
PID 1868 wrote to memory of 1064	1868	backup.exe	39
PID 1868 wrote to memory of 1064	1868	backup.exe	39
PID 1064 wrote to memory of 1144	1064	backup.exe	40
PID 1064 wrote to memory of 1144	1064	backup.exe	40
PID 1064 wrote to memory of 1144	1064	backup.exe	40
PID 1064 wrote to memory of 1144	1064	backup.exe	40
PID 1868 wrote to memory of 1800	1868	backup.exe	41
PID 1868 wrote to memory of 1800	1868	backup.exe	41
PID 1868 wrote to memory of 1800	1868	backup.exe	41
PID 1868 wrote to memory of 1800	1868	backup.exe	41
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 1800 wrote to memory of 628	1800	backup.exe	42
PID 628 wrote to memory of 1532	628	update.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe

C:\Users\Admin\AppData\Local\Temp\9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe
"C:\Users\Admin\AppData\Local\Temp\9ba9c23048cf72007b4ffe97b78e2cd703399ed1b3b89f70f91d8139cafaf25d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932
- C:\Users\Admin\AppData\Local\Temp\3581269052\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3581269052\backup.exe C:\Users\Admin\AppData\Local\Temp\3581269052\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:268
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1064
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1800
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1876
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1068
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1652
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1508
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1824
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:300
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:364
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1684
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:760
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1992
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:392
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:300
      - C:\Program Files\DVD Maker\fr-FR\update.exe
        
        "C:\Program Files\DVD Maker\fr-FR\update.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        System policy modification
        
        PID:952
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:892
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:744
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:664
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:392
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1520
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1476
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:988
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:864
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:688
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:924
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:964
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1524
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1692
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1308
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1484
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1608
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1416
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1292
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1532
    - - C:\Program Files (x86)\Common Files\data.exe
        
        "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1580
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1112
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1840
      - C:\Program Files (x86)\Internet Explorer\de-DE\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\data.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1664
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:616
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1728
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      PID:1268
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:584
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1668
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1876
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1780
      - C:\Users\Admin\Downloads\System Restore.exe
        
        "C:\Users\Admin\Downloads\System Restore.exe" C:\Users\Admin\Downloads\
        6⤵
        
        PID:1276
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1724
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:968
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1264
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1752
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1060
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b667f1fed6bb58776dbee6a87f946bf

SHA1
ae8e45614b47c8becf7eff1936ace87aa96aea35

SHA256
eec05b0dfcd8638d66d5b7f1fb6491ac93bc5cff5d56af39c3bfad45bf1a68ec

SHA512
30302f2e77c9831bd9c88cd6608a8188edff141eb09ffec90fc80d4ff42990ae4fb6d3c045621766a9bf256d4d50586ec92daacb71d50a1238f45943ca42a6a7

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3581269052\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
C:\Users\Admin\AppData\Local\Temp\3581269052\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f3764085b7b35f3dd1a57dcfa2e56b5a

SHA1
be81f77f9031f4c444e31b83798b82cc54fc803c

SHA256
3840d001a67262827cb2c172327799632ea86f17e6b6926ae3dd72498cab6f09

SHA512
a8844463dc75ed30d4a931bdc670ba7a6a853b31e957feca7b52a50e6f53d8386505a0dc3a05e670d4d855724814746a47550c81855398c4131f155b8d1fc4d5

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f3764085b7b35f3dd1a57dcfa2e56b5a

SHA1
be81f77f9031f4c444e31b83798b82cc54fc803c

SHA256
3840d001a67262827cb2c172327799632ea86f17e6b6926ae3dd72498cab6f09

SHA512
a8844463dc75ed30d4a931bdc670ba7a6a853b31e957feca7b52a50e6f53d8386505a0dc3a05e670d4d855724814746a47550c81855398c4131f155b8d1fc4d5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b667f1fed6bb58776dbee6a87f946bf

SHA1
ae8e45614b47c8becf7eff1936ace87aa96aea35

SHA256
eec05b0dfcd8638d66d5b7f1fb6491ac93bc5cff5d56af39c3bfad45bf1a68ec

SHA512
30302f2e77c9831bd9c88cd6608a8188edff141eb09ffec90fc80d4ff42990ae4fb6d3c045621766a9bf256d4d50586ec92daacb71d50a1238f45943ca42a6a7

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4b667f1fed6bb58776dbee6a87f946bf

SHA1
ae8e45614b47c8becf7eff1936ace87aa96aea35

SHA256
eec05b0dfcd8638d66d5b7f1fb6491ac93bc5cff5d56af39c3bfad45bf1a68ec

SHA512
30302f2e77c9831bd9c88cd6608a8188edff141eb09ffec90fc80d4ff42990ae4fb6d3c045621766a9bf256d4d50586ec92daacb71d50a1238f45943ca42a6a7

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
ca744339748cfa180f57bd8c9fe896a4

SHA1
624bebc0fe4cec6fc52e6bc11405db246f418d51

SHA256
db4a6347602e957c6464a643665b306e3c8808d7842f75081a6a3529b88a3915

SHA512
2b98e62b676139909b325153424edfb3ed71088dd3ad8ccc424011abba7236764f6e9366f91d3995ea163ad4e6f996f044a02bc5db554e632d5580ce5f932a80

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
9535f1c721a292026a16ce690ff052b6

SHA1
94925bf86c47727bd6965dec08fa1022d5fad607

SHA256
e310a9b3eee7f074c56a033e5bc1c1e11fe07b93a07e81d0170fe536339e78b3

SHA512
e60aaf5009074aec8da4261aa8861254d4655613bfcfbecb08f5cb6a8b4875aa88b61d6815262c8b9935095f18b501e76ccc14010369907926e97b0115705834

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c6ff3366e90ed8bb4536203d36b5e994

SHA1
f6d672f49febb1daef7a19073536b0fdc755c9ca

SHA256
86fc3bc75a3b1bb997634e0cc1f659b94621efa1b7d576209bd4ef3230ff7192

SHA512
bee2d0d31e7075ffde6fb47e867b2cad06ff0e21231e0974e427fc23ef2b750ea12b254d07a0ed516d26e0c4a0849c61d583701a1b5b095e57ea21b3675b6c78

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
e4fda2ca2deb95ad68937043132fe321

SHA1
eff601ec502e1cdac287c863db6678865b0e5f3f

SHA256
8125fd1e38cd2a1d6ddba4bb8b165029beb513ad19fb9912f2f165c64210d2da

SHA512
ce90bb29bb1d7d75ec20240a57a418b1c9440014a091c61360919735079106956e551856ad290448cfc487a0100e1628dd3d92d265a1e5fa6e68c3c51b1b0a5d

Download Submit
\Users\Admin\AppData\Local\Temp\3581269052\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\3581269052\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f1a06602e57becf4dd1fb4a594b0e0e4

SHA1
ded7f9b5614e44ef5e9048887ab9522fd0faa749

SHA256
0adecdb6d7182c633f7f233f408758104364733183c354e17b45efd04b303995

SHA512
bbc30c6e89d11d3095a651628887cebe69afedf4ecfa7d2c09efd6471025e6e5ca27011e0c7ebbeb0bc02eb3be010aef2e25c5c6c14b7d922f5690572a410446

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
70c6b2ef6b62b76e641dbba741f66623

SHA1
bba5a6d9d55527a6a35d0dc604a5cb540b3a5b19

SHA256
8f2546deef6452d70d0abdd90052f1a6628e70fe270b10830e77fdfd623b97c7

SHA512
8d67e7b5f4d5aa821444235218a065df8251c1498b7cf8dba41b903b3b6cd1a2ac7f92d23a5014d3147409006e945f3796434fa033a01de92a842c897cf9c23c

Download Submit
memory/1932-154-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/1932-123-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads