ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45

Analysis

max time kernel
156s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 00:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
Size

72KB
MD5

0ecbf876dfdf81704c1c90ebfb07ea4c
SHA1

3228ce0307e23f27e3bc16efa15c8287f8c4a267
SHA256

ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45
SHA512

b111592fac499d834dd23f15f10b48ad49faf15fe9ebbe54ecf97e1800fb4c6a955d7d802d7ddd59dc650ecf151767bccc92a756ac9811c922b1b0821c1e94aa
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k7OV:teThavEjDWguKU7M

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1996	backup.exe
1696	System Restore.exe
944	backup.exe
1308	backup.exe
1168	backup.exe
2016	backup.exe
584	backup.exe
1884	backup.exe
640	backup.exe
1508	backup.exe
1200	backup.exe
1616	backup.exe
676	backup.exe
832	backup.exe
1228	backup.exe
992	backup.exe
1468	backup.exe
1544	backup.exe
1056	backup.exe
1976	backup.exe
1956	backup.exe
1764	backup.exe
1696	backup.exe
1516	backup.exe
1068	backup.exe
1044	backup.exe
1768	backup.exe
468	backup.exe
1980	backup.exe
1420	backup.exe
1064	update.exe
1820	backup.exe
640	backup.exe
868	backup.exe
584	backup.exe
1280	backup.exe
2008	backup.exe
1020	backup.exe
1460	backup.exe
1620	backup.exe
1652	backup.exe
1100	backup.exe
896	backup.exe
568	backup.exe
1576	backup.exe
1664	backup.exe
1544	backup.exe
1964	backup.exe
1316	backup.exe
1568	backup.exe
1760	backup.exe
1600	backup.exe
828	backup.exe
616	backup.exe
820	backup.exe
1396	backup.exe
2016	backup.exe
1792	backup.exe
760	backup.exe
1152	backup.exe
1540	backup.exe
1888	backup.exe
1296	backup.exe
1284	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1168	backup.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1168	backup.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
584	backup.exe
584	backup.exe
1168	backup.exe
1168	backup.exe
1200	backup.exe
1200	backup.exe
1616	backup.exe
1616	backup.exe
1200	backup.exe
1200	backup.exe
832	backup.exe
832	backup.exe
1228	backup.exe
1228	backup.exe
1228	backup.exe
1228	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1468	backup.exe
1980	backup.exe
1980	backup.exe
1980	backup.exe
1064	update.exe
1064	update.exe
1064	update.exe
1980	backup.exe
1980	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
1996	backup.exe
1696	System Restore.exe
944	backup.exe
1308	backup.exe
1168	backup.exe
2016	backup.exe
584	backup.exe
1884	backup.exe
640	backup.exe
1508	backup.exe
1200	backup.exe
1616	backup.exe
676	backup.exe
832	backup.exe
1228	backup.exe
992	backup.exe
1468	backup.exe
1544	backup.exe
1976	backup.exe
1956	backup.exe
1764	backup.exe
1696	backup.exe
1516	backup.exe
1068	backup.exe
1044	backup.exe
1768	backup.exe
468	backup.exe
1980	backup.exe
1420	backup.exe
1064	update.exe
1820	backup.exe
640	backup.exe
868	backup.exe
584	backup.exe
1280	backup.exe
2008	backup.exe
1020	backup.exe
1460	backup.exe
1620	backup.exe
1652	backup.exe
1100	backup.exe
896	backup.exe
568	backup.exe
1576	backup.exe
1664	backup.exe
1544	backup.exe
1964	backup.exe
1316	backup.exe
1568	backup.exe
1760	backup.exe
1600	backup.exe
616	backup.exe
828	backup.exe
820	backup.exe
1396	backup.exe
2016	backup.exe
1792	backup.exe
760	backup.exe
1152	backup.exe
1540	backup.exe
1888	backup.exe
1296	backup.exe
768	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1996	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	26
PID 1988 wrote to memory of 1996	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	26
PID 1988 wrote to memory of 1996	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	26
PID 1988 wrote to memory of 1996	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	26
PID 1988 wrote to memory of 1696	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	27
PID 1988 wrote to memory of 1696	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	27
PID 1988 wrote to memory of 1696	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	27
PID 1988 wrote to memory of 1696	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	27
PID 1988 wrote to memory of 944	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	28
PID 1988 wrote to memory of 944	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	28
PID 1988 wrote to memory of 944	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	28
PID 1988 wrote to memory of 944	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	28
PID 1988 wrote to memory of 1308	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	29
PID 1988 wrote to memory of 1308	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	29
PID 1988 wrote to memory of 1308	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	29
PID 1988 wrote to memory of 1308	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	29
PID 1996 wrote to memory of 1168	1996	backup.exe	30
PID 1996 wrote to memory of 1168	1996	backup.exe	30
PID 1996 wrote to memory of 1168	1996	backup.exe	30
PID 1996 wrote to memory of 1168	1996	backup.exe	30
PID 1988 wrote to memory of 2016	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	31
PID 1988 wrote to memory of 2016	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	31
PID 1988 wrote to memory of 2016	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	31
PID 1988 wrote to memory of 2016	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	31
PID 1988 wrote to memory of 1884	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	32
PID 1988 wrote to memory of 1884	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	32
PID 1988 wrote to memory of 1884	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	32
PID 1988 wrote to memory of 1884	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	32
PID 1168 wrote to memory of 584	1168	backup.exe	33
PID 1168 wrote to memory of 584	1168	backup.exe	33
PID 1168 wrote to memory of 584	1168	backup.exe	33
PID 1168 wrote to memory of 584	1168	backup.exe	33
PID 1988 wrote to memory of 640	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	34
PID 1988 wrote to memory of 640	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	34
PID 1988 wrote to memory of 640	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	34
PID 1988 wrote to memory of 640	1988	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe	34
PID 584 wrote to memory of 1508	584	backup.exe	35
PID 584 wrote to memory of 1508	584	backup.exe	35
PID 584 wrote to memory of 1508	584	backup.exe	35
PID 584 wrote to memory of 1508	584	backup.exe	35
PID 1168 wrote to memory of 1200	1168	backup.exe	36
PID 1168 wrote to memory of 1200	1168	backup.exe	36
PID 1168 wrote to memory of 1200	1168	backup.exe	36
PID 1168 wrote to memory of 1200	1168	backup.exe	36
PID 1200 wrote to memory of 1616	1200	backup.exe	37
PID 1200 wrote to memory of 1616	1200	backup.exe	37
PID 1200 wrote to memory of 1616	1200	backup.exe	37
PID 1200 wrote to memory of 1616	1200	backup.exe	37
PID 1616 wrote to memory of 676	1616	backup.exe	38
PID 1616 wrote to memory of 676	1616	backup.exe	38
PID 1616 wrote to memory of 676	1616	backup.exe	38
PID 1616 wrote to memory of 676	1616	backup.exe	38
PID 1200 wrote to memory of 832	1200	backup.exe	39
PID 1200 wrote to memory of 832	1200	backup.exe	39
PID 1200 wrote to memory of 832	1200	backup.exe	39
PID 1200 wrote to memory of 832	1200	backup.exe	39
PID 832 wrote to memory of 1228	832	backup.exe	40
PID 832 wrote to memory of 1228	832	backup.exe	40
PID 832 wrote to memory of 1228	832	backup.exe	40
PID 832 wrote to memory of 1228	832	backup.exe	40
PID 1228 wrote to memory of 992	1228	backup.exe	41
PID 1228 wrote to memory of 992	1228	backup.exe	41
PID 1228 wrote to memory of 992	1228	backup.exe	41
PID 1228 wrote to memory of 992	1228	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe
"C:\Users\Admin\AppData\Local\Temp\ea017bc59bc1d787f89c108dfa86604575aba382eccfe7b043c2be48abce2f45.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988
- C:\Users\Admin\AppData\Local\Temp\1821361932\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1821361932\backup.exe C:\Users\Admin\AppData\Local\Temp\1821361932\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1168
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:584
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        System policy modification
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1888
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1792
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1316
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1308
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1392
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2004
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1596
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1284
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:284
        
        C:\Program Files\Common Files\System\Ole DB\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1316
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:828
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1284
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1360
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2016
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1488
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:288
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:1584
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1772
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1944
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1280
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1772
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1596
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1108
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1516
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1992
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1100
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:896
      - C:\Program Files\Java\jdk1.7.0_80\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\update.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1644
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1116
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1748
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:688
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1120
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1496
    - - C:\Program Files\Reference Assemblies\update.exe
        
        "C:\Program Files\Reference Assemblies\update.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1400
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:828
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1544
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:240
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1740
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:884
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:984
      - C:\Program Files (x86)\Common Files\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2028
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1472
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1768
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1420
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1724
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1612
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1020
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2000
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:520
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1628
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1396
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        System policy modification
        
        PID:1648
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Internet Explorer\en-US\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\data.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:468
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Microsoft Office\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\update.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:580
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:952
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1064
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1776
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1636
  - - C:\Users\update.exe
      C:\Users\update.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1152
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1856
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
eac2b4ea037bede6e4ecc2eff4d4c099

SHA1
5d1cff863a2b640fd5119ed78e42a7205a0b59d9

SHA256
84031fae7444f9ff3edfa2aa9ce844190ab1d06c288b5ef39685bb51281d2499

SHA512
ace174a00f4917ea3f2bed8b4ec636bd6683106f9b5f4f440344cf8a0c9d2e2cce5e7f8b1adbdafdbb1e3e84735ec6d5419d95043e2d45facff89d22a6f7d8ea

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
41c853bc84db6078f4aff9a4085cf1b1

SHA1
ade6c8b262ea60bdd6b8fc7eedfd19fd8ca23a6c

SHA256
820d5e20e79373129fa1b4d64d3c0683c84227bc1a9b952548334f60fea8d8fc

SHA512
6cb509d1fd7da915558f46ecae6c783c1c12d9968f2edd50f9a06bf66084e68ab9d24bf2528260f0193576261db97251d15637b471eadcabe3f06eb26ab15590

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
41c853bc84db6078f4aff9a4085cf1b1

SHA1
ade6c8b262ea60bdd6b8fc7eedfd19fd8ca23a6c

SHA256
820d5e20e79373129fa1b4d64d3c0683c84227bc1a9b952548334f60fea8d8fc

SHA512
6cb509d1fd7da915558f46ecae6c783c1c12d9968f2edd50f9a06bf66084e68ab9d24bf2528260f0193576261db97251d15637b471eadcabe3f06eb26ab15590

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
5f0762c599970940580fd939908d3ab6

SHA1
bf8dc3ae018ea2f77608f56f064e2f1f48bc910d

SHA256
a03ef14a3985cb835e72bc1849c43f890139533f8a6dcdb3b9cd24a0b1e40b77

SHA512
4256564475ccd03f4cb08b0ceeced26477fbae1039c18a7408099c2c69ecb6e0167fa27e5083df2e69fd30b932989f7031b9a61b8fcd428ca3ef25f83530c43a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
908c53eb58dc208e2a9c51223aff7551

SHA1
02b7b97e1bc3d7696f4d924109e839385c4d8e8c

SHA256
f32a392511e39d204f4b42353b4021edac64342dc01bac409143157a6eb83427

SHA512
80411cd9eea62495871e410acc0d605c1f2388ebb8a9c0391bc446963ad56430b39c693655b7ccc07d4cd5066dd4c3d3ac945abe71029a47f25ce69869dac9dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
908c53eb58dc208e2a9c51223aff7551

SHA1
02b7b97e1bc3d7696f4d924109e839385c4d8e8c

SHA256
f32a392511e39d204f4b42353b4021edac64342dc01bac409143157a6eb83427

SHA512
80411cd9eea62495871e410acc0d605c1f2388ebb8a9c0391bc446963ad56430b39c693655b7ccc07d4cd5066dd4c3d3ac945abe71029a47f25ce69869dac9dc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0e140b8f7592ed1183c035819f5c4e25

SHA1
c203e991ea94c6c6afd9f3a3e24e73e7e29e77ec

SHA256
397485db84fc18b04c8b9c8083c46d34058d99ad6740b4ddec950d2c8b0ea8c4

SHA512
b719407971af70662c19541ac22ae1a69f1d06a35029544bfb678ec5300f1a08f74d81423e29154356335a4b9f71a029a271b49d0e122b3f06951f9f7a4fac30

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0e140b8f7592ed1183c035819f5c4e25

SHA1
c203e991ea94c6c6afd9f3a3e24e73e7e29e77ec

SHA256
397485db84fc18b04c8b9c8083c46d34058d99ad6740b4ddec950d2c8b0ea8c4

SHA512
b719407971af70662c19541ac22ae1a69f1d06a35029544bfb678ec5300f1a08f74d81423e29154356335a4b9f71a029a271b49d0e122b3f06951f9f7a4fac30

Download Submit
C:\Users\Admin\AppData\Local\Temp\1821361932\backup.exe

Filesize
72KB

MD5
5b174cf98fd23d2d3ec31909bf36d1aa

SHA1
acb91230b013e9dbce074e412d847d99a32fc550

SHA256
a3f0a4c36c803caaa038a45b10e328990a911cc3f7918e61efd4479bd6fe8750

SHA512
1983ce1de80d0d765af04a3cbf140357f9ba0d41c4b5d8ea75499feac1e8e55da51a833644215c33dc3ebbe1c602243eb0b5dba9a60cf21fd516118d62ae584f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1821361932\backup.exe

Filesize
72KB

MD5
5b174cf98fd23d2d3ec31909bf36d1aa

SHA1
acb91230b013e9dbce074e412d847d99a32fc550

SHA256
a3f0a4c36c803caaa038a45b10e328990a911cc3f7918e61efd4479bd6fe8750

SHA512
1983ce1de80d0d765af04a3cbf140357f9ba0d41c4b5d8ea75499feac1e8e55da51a833644215c33dc3ebbe1c602243eb0b5dba9a60cf21fd516118d62ae584f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
42f4d40cf98f8a65329a21739d8989bd

SHA1
eec43b1fa22572bc92516b0417d7e9a10019bb4a

SHA256
b10aee8c376e85a2a8af661d7c62786a063c686d62171ae8918ea0a24c233a6b

SHA512
6bc427d6bc70ebc538049e709c408231943a36e2fd81fb03ced1423e3180ccbccb85b0b3f095e01db1840904032e1963d26e09b4e1667ba9f242d42ff21e761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e88d0cedd0f251063fb8bd73a17b8ab4

SHA1
b7b200ce282ce093ee920f69f3e3d32ededb0e2a

SHA256
58f6e80060b1c060658d173b2a43179f16822e93790b24df387b11a75b7ed7cf

SHA512
4c1412b29c74bfcfef84dff91455c048275cabd33a91e136ac37bddb658ddfe1246b934890eccc341966f4f330edbbe2f60b90758f96523c7692e6749d0484e1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e88d0cedd0f251063fb8bd73a17b8ab4

SHA1
b7b200ce282ce093ee920f69f3e3d32ededb0e2a

SHA256
58f6e80060b1c060658d173b2a43179f16822e93790b24df387b11a75b7ed7cf

SHA512
4c1412b29c74bfcfef84dff91455c048275cabd33a91e136ac37bddb658ddfe1246b934890eccc341966f4f330edbbe2f60b90758f96523c7692e6749d0484e1

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
eac2b4ea037bede6e4ecc2eff4d4c099

SHA1
5d1cff863a2b640fd5119ed78e42a7205a0b59d9

SHA256
84031fae7444f9ff3edfa2aa9ce844190ab1d06c288b5ef39685bb51281d2499

SHA512
ace174a00f4917ea3f2bed8b4ec636bd6683106f9b5f4f440344cf8a0c9d2e2cce5e7f8b1adbdafdbb1e3e84735ec6d5419d95043e2d45facff89d22a6f7d8ea

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
eac2b4ea037bede6e4ecc2eff4d4c099

SHA1
5d1cff863a2b640fd5119ed78e42a7205a0b59d9

SHA256
84031fae7444f9ff3edfa2aa9ce844190ab1d06c288b5ef39685bb51281d2499

SHA512
ace174a00f4917ea3f2bed8b4ec636bd6683106f9b5f4f440344cf8a0c9d2e2cce5e7f8b1adbdafdbb1e3e84735ec6d5419d95043e2d45facff89d22a6f7d8ea

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
41c853bc84db6078f4aff9a4085cf1b1

SHA1
ade6c8b262ea60bdd6b8fc7eedfd19fd8ca23a6c

SHA256
820d5e20e79373129fa1b4d64d3c0683c84227bc1a9b952548334f60fea8d8fc

SHA512
6cb509d1fd7da915558f46ecae6c783c1c12d9968f2edd50f9a06bf66084e68ab9d24bf2528260f0193576261db97251d15637b471eadcabe3f06eb26ab15590

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
41c853bc84db6078f4aff9a4085cf1b1

SHA1
ade6c8b262ea60bdd6b8fc7eedfd19fd8ca23a6c

SHA256
820d5e20e79373129fa1b4d64d3c0683c84227bc1a9b952548334f60fea8d8fc

SHA512
6cb509d1fd7da915558f46ecae6c783c1c12d9968f2edd50f9a06bf66084e68ab9d24bf2528260f0193576261db97251d15637b471eadcabe3f06eb26ab15590

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
5f0762c599970940580fd939908d3ab6

SHA1
bf8dc3ae018ea2f77608f56f064e2f1f48bc910d

SHA256
a03ef14a3985cb835e72bc1849c43f890139533f8a6dcdb3b9cd24a0b1e40b77

SHA512
4256564475ccd03f4cb08b0ceeced26477fbae1039c18a7408099c2c69ecb6e0167fa27e5083df2e69fd30b932989f7031b9a61b8fcd428ca3ef25f83530c43a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
5f0762c599970940580fd939908d3ab6

SHA1
bf8dc3ae018ea2f77608f56f064e2f1f48bc910d

SHA256
a03ef14a3985cb835e72bc1849c43f890139533f8a6dcdb3b9cd24a0b1e40b77

SHA512
4256564475ccd03f4cb08b0ceeced26477fbae1039c18a7408099c2c69ecb6e0167fa27e5083df2e69fd30b932989f7031b9a61b8fcd428ca3ef25f83530c43a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
eb5856131e6910135082285912458285

SHA1
1590389ed6d106d3528afb0b298b206f12faa79b

SHA256
7ca4b166fefb225f35b300b122c1d1e41fcc01f73aafa3803120ae6832b2ecb7

SHA512
05d0a061bb9daef542160eafe4548ed0787d1cabf0f7bb64d837fc06fdf28fb67c839bcdf1f3db9db77aad5196196c73499407aa7ba42a54d9094ba757a12e99

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
908c53eb58dc208e2a9c51223aff7551

SHA1
02b7b97e1bc3d7696f4d924109e839385c4d8e8c

SHA256
f32a392511e39d204f4b42353b4021edac64342dc01bac409143157a6eb83427

SHA512
80411cd9eea62495871e410acc0d605c1f2388ebb8a9c0391bc446963ad56430b39c693655b7ccc07d4cd5066dd4c3d3ac945abe71029a47f25ce69869dac9dc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
908c53eb58dc208e2a9c51223aff7551

SHA1
02b7b97e1bc3d7696f4d924109e839385c4d8e8c

SHA256
f32a392511e39d204f4b42353b4021edac64342dc01bac409143157a6eb83427

SHA512
80411cd9eea62495871e410acc0d605c1f2388ebb8a9c0391bc446963ad56430b39c693655b7ccc07d4cd5066dd4c3d3ac945abe71029a47f25ce69869dac9dc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8187bda5235944943a197d7c4d9cde4b

SHA1
2c521e785111d4598db6221126b76ac43d0086e1

SHA256
4667041ddb94025d272b25dba036446f9211d1cceda665fc270e419100b417d2

SHA512
8d7762f799a9e9e9646e6fdd5636d3f3ee8f6c4b4bfe6427de75db849c7e097315e63cb443330ab386f3021c0b90275ee4ec782727b9ca018b5852e435acaa36

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
a940d725d69e2d329c5e7e95f699d435

SHA1
3a12851b1d3da11869387266b47cd133d44e39b7

SHA256
f9728bf78a90563b9cc6163b82f9b7663fc22fe4ab415dbff46be83a56f59479

SHA512
556d06a1bde8f0bab1da47700ab139086c5545776e4b79b887c8350ffb059e982ed3837118fa1915e1592a02d54aaf109653f9887d77031de6bb4613165ca342

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
459baa7f2311e79133be3ede7d510eca

SHA1
66884464712fc3d576f1d39b36749050d2f9ebc7

SHA256
eba6bf30afebe3f05048faf9b1469bfcbfbf474eaf3874944cc32538a39c214c

SHA512
ac63cca16a0dd231d510257e953e4ce89ca79082ed3e03d412bf5650f0b01d7173a1b68cad3e47660d0b9394d1b53fa17dd7aff8e6474d4039c18951f4fc8159

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
0e140b8f7592ed1183c035819f5c4e25

SHA1
c203e991ea94c6c6afd9f3a3e24e73e7e29e77ec

SHA256
397485db84fc18b04c8b9c8083c46d34058d99ad6740b4ddec950d2c8b0ea8c4

SHA512
b719407971af70662c19541ac22ae1a69f1d06a35029544bfb678ec5300f1a08f74d81423e29154356335a4b9f71a029a271b49d0e122b3f06951f9f7a4fac30

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
0e140b8f7592ed1183c035819f5c4e25

SHA1
c203e991ea94c6c6afd9f3a3e24e73e7e29e77ec

SHA256
397485db84fc18b04c8b9c8083c46d34058d99ad6740b4ddec950d2c8b0ea8c4

SHA512
b719407971af70662c19541ac22ae1a69f1d06a35029544bfb678ec5300f1a08f74d81423e29154356335a4b9f71a029a271b49d0e122b3f06951f9f7a4fac30

Download Submit
\Users\Admin\AppData\Local\Temp\1821361932\backup.exe

Filesize
72KB

MD5
5b174cf98fd23d2d3ec31909bf36d1aa

SHA1
acb91230b013e9dbce074e412d847d99a32fc550

SHA256
a3f0a4c36c803caaa038a45b10e328990a911cc3f7918e61efd4479bd6fe8750

SHA512
1983ce1de80d0d765af04a3cbf140357f9ba0d41c4b5d8ea75499feac1e8e55da51a833644215c33dc3ebbe1c602243eb0b5dba9a60cf21fd516118d62ae584f

Download Submit
\Users\Admin\AppData\Local\Temp\1821361932\backup.exe

Filesize
72KB

MD5
5b174cf98fd23d2d3ec31909bf36d1aa

SHA1
acb91230b013e9dbce074e412d847d99a32fc550

SHA256
a3f0a4c36c803caaa038a45b10e328990a911cc3f7918e61efd4479bd6fe8750

SHA512
1983ce1de80d0d765af04a3cbf140357f9ba0d41c4b5d8ea75499feac1e8e55da51a833644215c33dc3ebbe1c602243eb0b5dba9a60cf21fd516118d62ae584f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
42f4d40cf98f8a65329a21739d8989bd

SHA1
eec43b1fa22572bc92516b0417d7e9a10019bb4a

SHA256
b10aee8c376e85a2a8af661d7c62786a063c686d62171ae8918ea0a24c233a6b

SHA512
6bc427d6bc70ebc538049e709c408231943a36e2fd81fb03ced1423e3180ccbccb85b0b3f095e01db1840904032e1963d26e09b4e1667ba9f242d42ff21e761f

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
42f4d40cf98f8a65329a21739d8989bd

SHA1
eec43b1fa22572bc92516b0417d7e9a10019bb4a

SHA256
b10aee8c376e85a2a8af661d7c62786a063c686d62171ae8918ea0a24c233a6b

SHA512
6bc427d6bc70ebc538049e709c408231943a36e2fd81fb03ced1423e3180ccbccb85b0b3f095e01db1840904032e1963d26e09b4e1667ba9f242d42ff21e761f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
6db1c078a925038364b4c71612c6b22b

SHA1
3d2cf6babddcf2c717de341e4751c21caae10187

SHA256
9f3250fada79602edd2606a37ae633a66eca1344f567e32454844413a99221e8

SHA512
6813d69f2a9476d06aa2ddde1a8d792600a0c48993735aae8237f37644b381951e92d917ec3c53da92d9c4a67f49086a8ad2b2df042024e851bc6ab29630fc26

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e9dec1ee36e7d4fe5ecde52482dd9c4e

SHA1
b5bfae70f722f4b653e5afbd9a5635e5ae6745c9

SHA256
08213d0d0e2d96447fd881b0bcac24ac9e3900666dbc486181f588b1ac222697

SHA512
38ebb033234844a16ccc3c5f9763586135f190c63a5326c292495141edf119f426e4ab802a17ad12fd5e2b120cad562c8aad654d07a75908478ea4f1023421a6

Download Submit
memory/1988-111-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads