a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
Size

72KB
MD5

9247d7d71aba8b77b22fd114270cac89
SHA1

6b985e5435752770dff8cec8d5df5ad11fe18593
SHA256

a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7
SHA512

8016d092ace9f9d01852ea6044f0c416ca2c5c243f6b27a57d70f47c9c7f7ce18859c843343623bc21615763ca809b28396dc36afef6f981433b2db6c19a9315
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGM:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrJ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	backup.exe
980	backup.exe
1484	backup.exe
576	backup.exe
760	backup.exe
1708	backup.exe
1452	backup.exe
1720	System Restore.exe
960	backup.exe
852	backup.exe
1520	backup.exe
1180	backup.exe
1688	data.exe
1868	backup.exe
1884	backup.exe
1768	data.exe
1020	backup.exe
1120	System Restore.exe
544	backup.exe
936	backup.exe
1604	update.exe
1136	backup.exe
2000	backup.exe
536	backup.exe
276	backup.exe
1588	backup.exe
1728	backup.exe
1512	backup.exe
1504	backup.exe
1324	data.exe
1280	backup.exe
1596	backup.exe
592	backup.exe
952	backup.exe
1948	backup.exe
1600	backup.exe
1820	backup.exe
1724	backup.exe
2004	backup.exe
1100	backup.exe
436	backup.exe
1896	backup.exe
948	backup.exe
1360	backup.exe
1964	backup.exe
1672	backup.exe
700	backup.exe
972	backup.exe
812	backup.exe
1140	backup.exe
1008	backup.exe
568	backup.exe
744	backup.exe
1476	backup.exe
1328	backup.exe
1852	backup.exe
1980	backup.exe
1576	backup.exe
1376	backup.exe
1952	backup.exe
1264	backup.exe
780	backup.exe
1940	backup.exe
1684	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1720	System Restore.exe
1720	System Restore.exe
960	backup.exe
960	backup.exe
1720	System Restore.exe
1720	System Restore.exe
1520	backup.exe
1520	backup.exe
1180	backup.exe
1180	backup.exe
1520	backup.exe
1520	backup.exe
1868	backup.exe
1868	backup.exe
1884	backup.exe
1884	backup.exe
1884	backup.exe
1884	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1604	update.exe
1604	update.exe
1604	update.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1020	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe
1504	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
1288	backup.exe
980	backup.exe
1484	backup.exe
576	backup.exe
760	backup.exe
1708	backup.exe
1452	backup.exe
1720	System Restore.exe
960	backup.exe
852	backup.exe
1520	backup.exe
1180	backup.exe
1688	data.exe
1868	backup.exe
1884	backup.exe
1768	data.exe
1020	backup.exe
544	backup.exe
936	backup.exe
1604	update.exe
1136	backup.exe
2000	backup.exe
536	backup.exe
276	backup.exe
1588	backup.exe
1728	backup.exe
1512	backup.exe
1504	backup.exe
1324	data.exe
1280	backup.exe
1596	backup.exe
592	backup.exe
952	backup.exe
1948	backup.exe
1600	backup.exe
1820	backup.exe
1724	backup.exe
2004	backup.exe
1100	backup.exe
436	backup.exe
1896	backup.exe
948	backup.exe
1360	backup.exe
1964	backup.exe
1672	backup.exe
700	backup.exe
972	backup.exe
812	backup.exe
1140	backup.exe
1008	backup.exe
568	backup.exe
744	backup.exe
1476	backup.exe
1328	backup.exe
1852	backup.exe
1980	backup.exe
1576	backup.exe
1376	backup.exe
1952	backup.exe
1264	backup.exe
780	backup.exe
1940	backup.exe
1684	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1288	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	27
PID 1380 wrote to memory of 1288	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	27
PID 1380 wrote to memory of 1288	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	27
PID 1380 wrote to memory of 1288	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	27
PID 1380 wrote to memory of 980	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	28
PID 1380 wrote to memory of 980	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	28
PID 1380 wrote to memory of 980	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	28
PID 1380 wrote to memory of 980	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	28
PID 1380 wrote to memory of 1484	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	29
PID 1380 wrote to memory of 1484	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	29
PID 1380 wrote to memory of 1484	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	29
PID 1380 wrote to memory of 1484	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	29
PID 1380 wrote to memory of 576	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	30
PID 1380 wrote to memory of 576	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	30
PID 1380 wrote to memory of 576	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	30
PID 1380 wrote to memory of 576	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	30
PID 1380 wrote to memory of 760	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	31
PID 1380 wrote to memory of 760	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	31
PID 1380 wrote to memory of 760	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	31
PID 1380 wrote to memory of 760	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	31
PID 1380 wrote to memory of 1708	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	32
PID 1380 wrote to memory of 1708	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	32
PID 1380 wrote to memory of 1708	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	32
PID 1380 wrote to memory of 1708	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	32
PID 1380 wrote to memory of 1452	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	33
PID 1380 wrote to memory of 1452	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	33
PID 1380 wrote to memory of 1452	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	33
PID 1380 wrote to memory of 1452	1380	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	33
PID 1288 wrote to memory of 1720	1288	backup.exe	34
PID 1288 wrote to memory of 1720	1288	backup.exe	34
PID 1288 wrote to memory of 1720	1288	backup.exe	34
PID 1288 wrote to memory of 1720	1288	backup.exe	34
PID 1720 wrote to memory of 960	1720	System Restore.exe	35
PID 1720 wrote to memory of 960	1720	System Restore.exe	35
PID 1720 wrote to memory of 960	1720	System Restore.exe	35
PID 1720 wrote to memory of 960	1720	System Restore.exe	35
PID 960 wrote to memory of 852	960	backup.exe	36
PID 960 wrote to memory of 852	960	backup.exe	36
PID 960 wrote to memory of 852	960	backup.exe	36
PID 960 wrote to memory of 852	960	backup.exe	36
PID 1720 wrote to memory of 1520	1720	System Restore.exe	37
PID 1720 wrote to memory of 1520	1720	System Restore.exe	37
PID 1720 wrote to memory of 1520	1720	System Restore.exe	37
PID 1720 wrote to memory of 1520	1720	System Restore.exe	37
PID 1520 wrote to memory of 1180	1520	backup.exe	38
PID 1520 wrote to memory of 1180	1520	backup.exe	38
PID 1520 wrote to memory of 1180	1520	backup.exe	38
PID 1520 wrote to memory of 1180	1520	backup.exe	38
PID 1180 wrote to memory of 1688	1180	backup.exe	39
PID 1180 wrote to memory of 1688	1180	backup.exe	39
PID 1180 wrote to memory of 1688	1180	backup.exe	39
PID 1180 wrote to memory of 1688	1180	backup.exe	39
PID 1520 wrote to memory of 1868	1520	backup.exe	40
PID 1520 wrote to memory of 1868	1520	backup.exe	40
PID 1520 wrote to memory of 1868	1520	backup.exe	40
PID 1520 wrote to memory of 1868	1520	backup.exe	40
PID 1868 wrote to memory of 1884	1868	backup.exe	41
PID 1868 wrote to memory of 1884	1868	backup.exe	41
PID 1868 wrote to memory of 1884	1868	backup.exe	41
PID 1868 wrote to memory of 1884	1868	backup.exe	41
PID 1884 wrote to memory of 1768	1884	backup.exe	42
PID 1884 wrote to memory of 1768	1884	backup.exe	42
PID 1884 wrote to memory of 1768	1884	backup.exe	42
PID 1884 wrote to memory of 1768	1884	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
"C:\Users\Admin\AppData\Local\Temp\a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1380
- C:\Users\Admin\AppData\Local\Temp\3278385107\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3278385107\backup.exe C:\Users\Admin\AppData\Local\Temp\3278385107\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1720
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:960
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:852
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1180
      - C:\Program Files\7-Zip\Lang\data.exe
        
        "C:\Program Files\7-Zip\Lang\data.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1688
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1580
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1020
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:912
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:948
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:700
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:880
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1108
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1260
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:952
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1540
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:544
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1324
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1036
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1928
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1180
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1204
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1780
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:932
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1092
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:700
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:984
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1604
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1996
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:808
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1576
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1620
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1768
    - - C:\Program Files\Java\update.exe
        
        "C:\Program Files\Java\update.exe" C:\Program Files\Java\
        5⤵
        
        PID:908
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1424
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:992
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1204
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2008
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:948
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1696
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1476
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1656
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        System policy modification
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        System policy modification
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:668
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1736
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:924
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:560
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:932
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:620
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:972
      - C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1108
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1260
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1384
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1648
    - - C:\Program Files (x86)\Google\update.exe
        
        "C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:964
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:536
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1472
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1376
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1120
    - - C:\Program Files (x86)\Microsoft Synchronization Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\System Restore.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1808
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1976
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:960
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1276
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1064
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1188
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:980
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:576
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:760
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fb9d879f0a35b8afba30794aa7e48efd

SHA1
3139d12262bb4027ee86e3c790b8e71888df6b6c

SHA256
7e226cc148cfd2f8633114618153a1dcf306099c0a00035c588201c86fa4b825

SHA512
5cdf84568f45c950c269b52666bb4d19482d5118518d4906f5368173ed31fde7d88001d36ccc1283d2de6de6aa72bb79ea81251fcc01c018e0b91cf891bb0c2b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
C:\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
b5a5d5f91c7ffb4962df6a06040f995a

SHA1
2047de172703d0f9ec4725c5536200e7b5fb8a73

SHA256
c426070b811ebb80d897224bcba4f08ee11f8479a95088deb01a70a89c48e3af

SHA512
676490f1b1c8c77d7ac924f8aca1269e5e44ab1d8d4258e592471e0fe6476ee31b613a3e85dbd98f9d8cee8f8e999520281b3021b772e424aa03a41143bcf5f5

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
b5a5d5f91c7ffb4962df6a06040f995a

SHA1
2047de172703d0f9ec4725c5536200e7b5fb8a73

SHA256
c426070b811ebb80d897224bcba4f08ee11f8479a95088deb01a70a89c48e3af

SHA512
676490f1b1c8c77d7ac924f8aca1269e5e44ab1d8d4258e592471e0fe6476ee31b613a3e85dbd98f9d8cee8f8e999520281b3021b772e424aa03a41143bcf5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3278385107\backup.exe

Filesize
72KB

MD5
2a92a0e18b6cd01fc3a146350c6d484e

SHA1
994dc648b4543828ee87974ed8fab10a2d54cea3

SHA256
aa576247173d7fbb985920ca6bcc8c9847127e3ad156db3e26dfa12700ecaaca

SHA512
c54b7d7ff62f05f4f206d7e496a0108cb4a2e9226042c0678b8cb6271eaaa296c7301a0769ebfaab16b1d3ebe67eb1457f588586e77859a6ee473f4d0f201beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3278385107\backup.exe

Filesize
72KB

MD5
2a92a0e18b6cd01fc3a146350c6d484e

SHA1
994dc648b4543828ee87974ed8fab10a2d54cea3

SHA256
aa576247173d7fbb985920ca6bcc8c9847127e3ad156db3e26dfa12700ecaaca

SHA512
c54b7d7ff62f05f4f206d7e496a0108cb4a2e9226042c0678b8cb6271eaaa296c7301a0769ebfaab16b1d3ebe67eb1457f588586e77859a6ee473f4d0f201beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fb9d879f0a35b8afba30794aa7e48efd

SHA1
3139d12262bb4027ee86e3c790b8e71888df6b6c

SHA256
7e226cc148cfd2f8633114618153a1dcf306099c0a00035c588201c86fa4b825

SHA512
5cdf84568f45c950c269b52666bb4d19482d5118518d4906f5368173ed31fde7d88001d36ccc1283d2de6de6aa72bb79ea81251fcc01c018e0b91cf891bb0c2b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fb9d879f0a35b8afba30794aa7e48efd

SHA1
3139d12262bb4027ee86e3c790b8e71888df6b6c

SHA256
7e226cc148cfd2f8633114618153a1dcf306099c0a00035c588201c86fa4b825

SHA512
5cdf84568f45c950c269b52666bb4d19482d5118518d4906f5368173ed31fde7d88001d36ccc1283d2de6de6aa72bb79ea81251fcc01c018e0b91cf891bb0c2b

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
51cab7bdd5b1cf4412c6d4fd60294983

SHA1
088a5764e167e644a75683f21da845de00b09bb7

SHA256
439813f3cad2688cc0c1b0a2c0a56b4b974eca1921934c0e331b6840c20ddb2e

SHA512
73cdcbeedc0b8f50cba4fb5b10f0f9084f38479de9f927b4469c5c858f6f257b101b2de394f4d8578b9b41a1dba0f03f9745e3bf5461fcbd8bd6d8593ed722a0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
d586e58ebb782dc00e6f7775a33f1a99

SHA1
6ec9b85a1d6ba01338f4e3d83ec41996d3fd125c

SHA256
f2f55782e6c667495e50dcbffce3293277a5304c0452e63914456f8e6eaa162d

SHA512
b0caf3a0c21da135af286e628ab5f631b8c3a86c19dfe631ec3e15f30bbe0867cb7b65a4d588266ac7c1d128435c37b882942180cc100a9ceb788129e3e60f6e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
3a921e916189e44192a569a7e051a369

SHA1
e91628bb3d0e038b0bc0b6069f0b6c28afd543f5

SHA256
b5a576db1311a85f68e7c4ab495ad07c02d91d988adf2861ab211e1fae541f7f

SHA512
a6fdcf2651a9d90254942308c2d5033ef574e2f1fa7f4487e8e62791f735e78f65eae3d705d3a2a821c7754ac5855c9d43c294e2616eb7e90ae01f2b8e919817

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
55dff0a856c0c8f70777dcfeb8f30d79

SHA1
9b218d07c3c7a99333fd13e20489305b7a7e3fab

SHA256
7d5a72afd823f83043b715a9fc2615a74201a4e4b8fd1f31830959cf0e945d89

SHA512
b0c8d6630dccf86c8623b5d21380e5ed7ff5dda9efc739e15cc0f8b826f24e48c88c5daa866584ee88d6fc2acd51ca2b976b99085480a535c832024705f88f03

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
3a6da7514c116d50b10d1f4f270f82b9

SHA1
c652b150002d33b9af15c6c41ec1c5fbc6de3c18

SHA256
d12f197ed24521befed6c73494d494be829dc03bca806ee90b1b67db0a41fcf1

SHA512
e088652fec7c7cd21dab3307a5d4bc036dfc58c2a97fe76b4b46497d2ac20e8f5645876e67cdc426d8921d49cb77ca5d8085801c480c10918dcda194a52ae2a9

Download Submit
\Users\Admin\AppData\Local\Temp\3278385107\backup.exe

Filesize
72KB

MD5
2a92a0e18b6cd01fc3a146350c6d484e

SHA1
994dc648b4543828ee87974ed8fab10a2d54cea3

SHA256
aa576247173d7fbb985920ca6bcc8c9847127e3ad156db3e26dfa12700ecaaca

SHA512
c54b7d7ff62f05f4f206d7e496a0108cb4a2e9226042c0678b8cb6271eaaa296c7301a0769ebfaab16b1d3ebe67eb1457f588586e77859a6ee473f4d0f201beb

Download Submit
\Users\Admin\AppData\Local\Temp\3278385107\backup.exe

Filesize
72KB

MD5
2a92a0e18b6cd01fc3a146350c6d484e

SHA1
994dc648b4543828ee87974ed8fab10a2d54cea3

SHA256
aa576247173d7fbb985920ca6bcc8c9847127e3ad156db3e26dfa12700ecaaca

SHA512
c54b7d7ff62f05f4f206d7e496a0108cb4a2e9226042c0678b8cb6271eaaa296c7301a0769ebfaab16b1d3ebe67eb1457f588586e77859a6ee473f4d0f201beb

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
bca5bf75ef296d6a4bc103de0dc41b8f

SHA1
289d2d392f6910109561555513828cc17359194c

SHA256
287ec0729ebf8d03ea9c097a9947de207d8950b18ddd03699a0ed170219bf2c3

SHA512
b2d688f8fb76ba804507d25d1665294992d13d8d9f03765bc669050b34ef05e2a4f3fa574629380d326ba957e9b0034324022c8ddcd4c2a9f525d94d34c27d1a

Download Submit
memory/1380-100-0x0000000074221000-0x0000000074223000-memory.dmp

Filesize
8KB

Download
memory/1380-98-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads