1ea161ddc4852350e5ac623110b6f2ec9655ba668b0acfbff6e850f9a9a262bd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 05:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5854ece0350424da38607f1d222f8780.exe
Size

176KB
MD5

5854ece0350424da38607f1d222f8780
SHA1

f3709524efd76917ca7b4f7e35089d814d200579
SHA256

1ea161ddc4852350e5ac623110b6f2ec9655ba668b0acfbff6e850f9a9a262bd
SHA512

e4c56de23f2308f650b1178aa745bb61026922f15f5118a4491146a877bb87446da5890b8bf786a8fdcb7b78605b9478cd5cc6cd5fb04643b854291e7ec656fb
SSDEEP

768:Ac/TbblFpQNwC3BEc4QEfu0Ei8XxNDI/vFaaz6JZ1Ssw63BEfq:x7bbl/eThavEjDUvFaaAXZL0q

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.5854ece0350424da38607f1d222f8780.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2292	backup.exe
2788	backup.exe
2664	backup.exe
2672	backup.exe
2676	backup.exe
2688	backup.exe
2536	backup.exe
1652	backup.exe
2776	backup.exe
1968	data.exe
2604	System Restore.exe
984	backup.exe
1088	backup.exe
2936	backup.exe
2080	backup.exe
1624	System Restore.exe
1340	backup.exe
1524	backup.exe
340	backup.exe
2016	backup.exe
1276	backup.exe
2484	backup.exe
3028	backup.exe
2600	backup.exe
1700	backup.exe
1704	backup.exe
2312	backup.exe
2608	backup.exe
2656	backup.exe
2824	backup.exe
2784	backup.exe
2068	System Restore.exe
2468	backup.exe
2684	backup.exe
3060	backup.exe
2336	backup.exe
2192	backup.exe
2752	backup.exe
1488	backup.exe
1884	backup.exe
2708	backup.exe
2728	backup.exe
576	update.exe
1156	backup.exe
760	data.exe
2324	backup.exe
2612	backup.exe
1300	data.exe
2256	backup.exe
612	backup.exe
1172	backup.exe
1756	backup.exe
1772	backup.exe
952	backup.exe
2236	backup.exe
1032	backup.exe
1544	backup.exe
1276	backup.exe
876	backup.exe
2484	backup.exe
1760	backup.exe
2600	backup.exe
1700	backup.exe
1704	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
1652	backup.exe
1652	backup.exe
2776	backup.exe
2776	backup.exe
1652	backup.exe
1652	backup.exe
2604	System Restore.exe
2604	System Restore.exe
984	backup.exe
984	backup.exe
2604	System Restore.exe
2604	System Restore.exe
2936	backup.exe
2936	backup.exe
2080	backup.exe
2080	backup.exe
2080	backup.exe
2080	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
1340	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe
2656	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x001b000000015ea6-5.dat	upx
behavioral1/files/0x001b000000015ea6-7.dat	upx
behavioral1/files/0x001b000000015ea6-9.dat	upx
behavioral1/files/0x001b000000015ea6-12.dat	upx
behavioral1/memory/2292-13-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000016613-17.dat	upx
behavioral1/files/0x0007000000016613-23.dat	upx
behavioral1/files/0x0007000000016613-19.dat	upx
behavioral1/memory/2788-28-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0009000000016ada-29.dat	upx
behavioral1/files/0x0009000000016ada-31.dat	upx
behavioral1/files/0x0009000000016ada-36.dat	upx
behavioral1/memory/2156-47-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x000a0000000167f0-46.dat	upx
behavioral1/files/0x000a0000000167f0-42.dat	upx
behavioral1/files/0x000a0000000167f0-40.dat	upx
behavioral1/memory/2672-51-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2292-58-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016c9c-59.dat	upx
behavioral1/files/0x0006000000016c9c-54.dat	upx
behavioral1/files/0x0006000000016c9c-52.dat	upx
behavioral1/memory/2676-63-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x001b000000016050-64.dat	upx
behavioral1/files/0x001b000000016050-70.dat	upx
behavioral1/files/0x001b000000016050-66.dat	upx
behavioral1/memory/2688-74-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016cb7-75.dat	upx
behavioral1/files/0x0006000000016cb7-78.dat	upx
behavioral1/files/0x0006000000016cb7-82.dat	upx
behavioral1/memory/2536-87-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x001b000000015ea6-88.dat	upx
behavioral1/files/0x0006000000016cd8-97.dat	upx
behavioral1/memory/2664-93-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016cd8-104.dat	upx
behavioral1/memory/1652-103-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016cec-106.dat	upx
behavioral1/files/0x0006000000016cec-112.dat	upx
behavioral1/files/0x0006000000016cec-108.dat	upx
behavioral1/files/0x0006000000016cec-119.dat	upx
behavioral1/files/0x0006000000016cfc-121.dat	upx
behavioral1/files/0x0006000000016cfc-123.dat	upx
behavioral1/files/0x0006000000016cfc-128.dat	upx
behavioral1/memory/2776-145-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1968-136-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000016d04-146.dat	upx
behavioral1/files/0x0007000000016d04-152.dat	upx
behavioral1/files/0x0007000000016d04-148.dat	upx
behavioral1/memory/2604-158-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000016d04-160.dat	upx
behavioral1/files/0x0007000000016cf2-162.dat	upx
behavioral1/files/0x0007000000016cf2-164.dat	upx
behavioral1/memory/1652-170-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0007000000016cf2-169.dat	upx
behavioral1/files/0x0007000000016cf2-173.dat	upx
behavioral1/files/0x0006000000016d40-175.dat	upx
behavioral1/files/0x0006000000016d40-182.dat	upx
behavioral1/files/0x0006000000016d40-177.dat	upx
behavioral1/memory/984-187-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1088-188-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/files/0x0006000000016d66-189.dat	upx
behavioral1/files/0x0006000000016d66-196.dat	upx
behavioral1/files/0x0006000000016d66-191.dat	upx
behavioral1/memory/2936-200-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Defender\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Journal\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	NEAS.5854ece0350424da38607f1d222f8780.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2156	NEAS.5854ece0350424da38607f1d222f8780.exe
2292	backup.exe
2788	backup.exe
2664	backup.exe
2672	backup.exe
2676	backup.exe
2688	backup.exe
2536	backup.exe
1652	backup.exe
2776	backup.exe
1968	data.exe
2604	System Restore.exe
984	backup.exe
1088	backup.exe
2936	backup.exe
2080	backup.exe
1624	System Restore.exe
1340	backup.exe
1524	backup.exe
340	backup.exe
2016	backup.exe
1276	backup.exe
2484	backup.exe
3028	backup.exe
2600	backup.exe
1700	backup.exe
1704	backup.exe
2312	backup.exe
2608	backup.exe
2656	backup.exe
2824	backup.exe
2784	backup.exe
2068	System Restore.exe
2468	backup.exe
2684	backup.exe
3060	backup.exe
2336	backup.exe
2192	backup.exe
2752	backup.exe
1488	backup.exe
1884	backup.exe
2708	backup.exe
2728	backup.exe
576	update.exe
1156	backup.exe
760	data.exe
2324	backup.exe
2612	backup.exe
1300	data.exe
2256	backup.exe
612	backup.exe
1172	backup.exe
1756	backup.exe
1772	backup.exe
952	backup.exe
2236	backup.exe
1032	backup.exe
1544	backup.exe
1276	backup.exe
876	backup.exe
2484	backup.exe
1760	backup.exe
2600	backup.exe
1700	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2292	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	28
PID 2156 wrote to memory of 2292	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	28
PID 2156 wrote to memory of 2292	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	28
PID 2156 wrote to memory of 2292	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	28
PID 2156 wrote to memory of 2788	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	29
PID 2156 wrote to memory of 2788	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	29
PID 2156 wrote to memory of 2788	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	29
PID 2156 wrote to memory of 2788	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	29
PID 2156 wrote to memory of 2664	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	30
PID 2156 wrote to memory of 2664	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	30
PID 2156 wrote to memory of 2664	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	30
PID 2156 wrote to memory of 2664	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	30
PID 2156 wrote to memory of 2672	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	31
PID 2156 wrote to memory of 2672	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	31
PID 2156 wrote to memory of 2672	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	31
PID 2156 wrote to memory of 2672	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	31
PID 2156 wrote to memory of 2676	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	32
PID 2156 wrote to memory of 2676	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	32
PID 2156 wrote to memory of 2676	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	32
PID 2156 wrote to memory of 2676	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	32
PID 2156 wrote to memory of 2688	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	33
PID 2156 wrote to memory of 2688	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	33
PID 2156 wrote to memory of 2688	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	33
PID 2156 wrote to memory of 2688	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	33
PID 2156 wrote to memory of 2536	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	34
PID 2156 wrote to memory of 2536	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	34
PID 2156 wrote to memory of 2536	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	34
PID 2156 wrote to memory of 2536	2156	NEAS.5854ece0350424da38607f1d222f8780.exe	34
PID 2292 wrote to memory of 1652	2292	backup.exe	35
PID 2292 wrote to memory of 1652	2292	backup.exe	35
PID 2292 wrote to memory of 1652	2292	backup.exe	35
PID 2292 wrote to memory of 1652	2292	backup.exe	35
PID 1652 wrote to memory of 2776	1652	backup.exe	36
PID 1652 wrote to memory of 2776	1652	backup.exe	36
PID 1652 wrote to memory of 2776	1652	backup.exe	36
PID 1652 wrote to memory of 2776	1652	backup.exe	36
PID 2776 wrote to memory of 1968	2776	backup.exe	37
PID 2776 wrote to memory of 1968	2776	backup.exe	37
PID 2776 wrote to memory of 1968	2776	backup.exe	37
PID 2776 wrote to memory of 1968	2776	backup.exe	37
PID 1652 wrote to memory of 2604	1652	backup.exe	38
PID 1652 wrote to memory of 2604	1652	backup.exe	38
PID 1652 wrote to memory of 2604	1652	backup.exe	38
PID 1652 wrote to memory of 2604	1652	backup.exe	38
PID 2604 wrote to memory of 984	2604	System Restore.exe	39
PID 2604 wrote to memory of 984	2604	System Restore.exe	39
PID 2604 wrote to memory of 984	2604	System Restore.exe	39
PID 2604 wrote to memory of 984	2604	System Restore.exe	39
PID 984 wrote to memory of 1088	984	backup.exe	40
PID 984 wrote to memory of 1088	984	backup.exe	40
PID 984 wrote to memory of 1088	984	backup.exe	40
PID 984 wrote to memory of 1088	984	backup.exe	40
PID 2604 wrote to memory of 2936	2604	System Restore.exe	41
PID 2604 wrote to memory of 2936	2604	System Restore.exe	41
PID 2604 wrote to memory of 2936	2604	System Restore.exe	41
PID 2604 wrote to memory of 2936	2604	System Restore.exe	41
PID 2936 wrote to memory of 2080	2936	backup.exe	42
PID 2936 wrote to memory of 2080	2936	backup.exe	42
PID 2936 wrote to memory of 2080	2936	backup.exe	42
PID 2936 wrote to memory of 2080	2936	backup.exe	42
PID 2080 wrote to memory of 1624	2080	backup.exe	43
PID 2080 wrote to memory of 1624	2080	backup.exe	43
PID 2080 wrote to memory of 1624	2080	backup.exe	43
PID 2080 wrote to memory of 1624	2080	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.5854ece0350424da38607f1d222f8780.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5854ece0350424da38607f1d222f8780.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\168672966\backup.exe
  C:\Users\Admin\AppData\Local\Temp\168672966\backup.exe C:\Users\Admin\AppData\Local\Temp\168672966\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\PerfLogs\Admin\data.exe
        
        C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:984
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2552
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:3060
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2752
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        System policy modification
        
        PID:388
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        System policy modification
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        System policy modification
        
        PID:2920
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        System policy modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1804
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1176
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1712
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        System policy modification
        
        PID:3028
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2608
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2648
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2552
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2536
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2584
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\System\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\en-US\System Restore.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:272
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1012
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\System\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1392
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2172
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2696
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3064
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1048
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1544
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2848
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1496
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2360
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2368
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:664
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2396
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2356
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3060
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2408
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:2904
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2940
      - C:\Program Files\DVD Maker\fr-FR\System Restore.exe
        
        "C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2996
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:2384
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1108
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1516
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:2224
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2852
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:2868
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:272
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2724
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2136
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        System policy modification
        
        PID:1244
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2056
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2416
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:640
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1844
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:3036
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1608
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1300
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1732
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2816
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1488
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:388
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2560
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3032
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2820
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2536
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1548
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:980
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2632
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1656
    - - C:\Program Files\VideoLAN\data.exe
        
        "C:\Program Files\VideoLAN\data.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2072
    - - C:\Program Files\Windows Defender\data.exe
        
        "C:\Program Files\Windows Defender\data.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:952
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2312
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:812
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2076
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        System policy modification
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:2772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2040
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2000
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2256
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1032
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:804
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        System policy modification
        
        PID:1644
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1748
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2720
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2700
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1760
      - C:\Program Files (x86)\Common Files\System\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\System Restore.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2884
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1388
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2132
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2412
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1832
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1032
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2460
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1792
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1160
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2952
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2160
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:692
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2080
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2588
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:708
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2164
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1332
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:892
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1764
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:536
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2188
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2172
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1512
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2956
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2032
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1604
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2536

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
1⤵
- Drops file in Program Files directory
- System policy modification
PID:2800
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
  2⤵
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe

Filesize
176KB

MD5
8a80ee7bb87fb27e8b464afc8d2c023b

SHA1
06e385afa2fc3161e58955c5bee15961e8c4097c

SHA256
b5e91ef8f4ccd22bca19764bbbf4abba7b80812f432ebda81a73ac2d7596552d

SHA512
c22835e13dd3cd6626b63a4d257a54e53f6ec04c988160ae7dd2df36a16062dd39c35ce274c5f375808c286226f5ca91722bca87a525ba0310b8dc1daeb234b1

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
d961ecbeb74ba0909bc97748b7a4e14e

SHA1
a1f04293f71031710cd962c3ddb8c69ae0088337

SHA256
24a065a58965384c665537baa545b1acdfe85145ca859e04f9d0258441f9c8ae

SHA512
5efe532d2c9f08a56f780c220623591a02e69fd269153ef8303da4fe18cdca823d03743f954f491da015d76fa72fe6bf6ca99505effcce5308497c96711a0121

Download Submit
C:\PerfLogs\backup.exe

Filesize
176KB

MD5
d961ecbeb74ba0909bc97748b7a4e14e

SHA1
a1f04293f71031710cd962c3ddb8c69ae0088337

SHA256
24a065a58965384c665537baa545b1acdfe85145ca859e04f9d0258441f9c8ae

SHA512
5efe532d2c9f08a56f780c220623591a02e69fd269153ef8303da4fe18cdca823d03743f954f491da015d76fa72fe6bf6ca99505effcce5308497c96711a0121

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
cbd46c31b13d49790642e96502d69362

SHA1
bffc2aeeaa5a387abfc48d512493af1a78c4129b

SHA256
06a63ebd92ffe3801f8a422e3fee41629f63c92f9a8a3d500b194198ef09c6ad

SHA512
9c440ebc890d1543e9b404b11970d4cfc29180d57dad01eaa03cd7c5cc1d34b63d71b81d33cd0ac6f88acee83c0df3e0d3ad99f1ad584751197e392729a39ad0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
0cff28e0d850873e4892740cec7853eb

SHA1
7f0738269d391181bb3823e4fdd7ca91bac58c57

SHA256
3b40e02f4383c3f8cac2f23acc28c32b80932cc978a0e3b78d6fc89869b32470

SHA512
00f0f52a7261152579ed1083b2310fcc381f44d70dda9ae008966ab86e2796224ff839216234115141eb06c608d21ab736fb623ebfbabf3f21fd3e55761c5d49

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
0cff28e0d850873e4892740cec7853eb

SHA1
7f0738269d391181bb3823e4fdd7ca91bac58c57

SHA256
3b40e02f4383c3f8cac2f23acc28c32b80932cc978a0e3b78d6fc89869b32470

SHA512
00f0f52a7261152579ed1083b2310fcc381f44d70dda9ae008966ab86e2796224ff839216234115141eb06c608d21ab736fb623ebfbabf3f21fd3e55761c5d49

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
C:\Program Files\System Restore.exe

Filesize
176KB

MD5
312275863ea6a60f9a7e2eb121cf2a63

SHA1
2d7cc1dfbdaec8cd9f35204a4659ca1deb49e5ec

SHA256
716b2d59c66b7426103ee62f21f940e804fa79ff276b25a9d70390d13cfa6d78

SHA512
353afc4b80ab53b8e7cbde0494eaa847a52fe19545de5582154f89398d3f64f940ece23072cf434381ce16e93a4508d7b5b5a69126141f7c4cfe979cbd8777aa

Download Submit
C:\Program Files\System Restore.exe

Filesize
176KB

MD5
312275863ea6a60f9a7e2eb121cf2a63

SHA1
2d7cc1dfbdaec8cd9f35204a4659ca1deb49e5ec

SHA256
716b2d59c66b7426103ee62f21f940e804fa79ff276b25a9d70390d13cfa6d78

SHA512
353afc4b80ab53b8e7cbde0494eaa847a52fe19545de5582154f89398d3f64f940ece23072cf434381ce16e93a4508d7b5b5a69126141f7c4cfe979cbd8777aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\168672966\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\168672966\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\168672966\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
33KB

MD5
35dfcc1e2f7ad07fea946fb43dcd8fcc

SHA1
29ff829f2b9779e0c1e747a68cabf425ada5f1ac

SHA256
3c29a80cf06fb7d3f0cb8efc5db282fc4f4900e6dbc562a679944338e5dae3a6

SHA512
2c8906b99eda1916309da390d572951a08e10dc0aa2785ebe680f87a228de29f5fdfc74bdcf40c6c5dc1f09930463bae2d6c9ce97d60bf3fe92687c153d8f3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
176KB

MD5
299bb1db167c8c31cfc30e3608eea3af

SHA1
d6c8c48881299371beebc97b7e39867ec54037bd

SHA256
4b8ab11d9ae5bde941418ca469d82d07d4ad8227183e8557ab879af2e5da9efc

SHA512
84030c20185820fb05a40f1b5de980c97f4aef0875d1776c01460448fbdfd6e98cc0923f2959bab6148370dad57d7e8b35a066275f39a94d99b6fc5788ca4558

Download Submit
C:\backup.exe

Filesize
176KB

MD5
299bb1db167c8c31cfc30e3608eea3af

SHA1
d6c8c48881299371beebc97b7e39867ec54037bd

SHA256
4b8ab11d9ae5bde941418ca469d82d07d4ad8227183e8557ab879af2e5da9efc

SHA512
84030c20185820fb05a40f1b5de980c97f4aef0875d1776c01460448fbdfd6e98cc0923f2959bab6148370dad57d7e8b35a066275f39a94d99b6fc5788ca4558

Download Submit
\PerfLogs\Admin\data.exe

Filesize
176KB

MD5
8a80ee7bb87fb27e8b464afc8d2c023b

SHA1
06e385afa2fc3161e58955c5bee15961e8c4097c

SHA256
b5e91ef8f4ccd22bca19764bbbf4abba7b80812f432ebda81a73ac2d7596552d

SHA512
c22835e13dd3cd6626b63a4d257a54e53f6ec04c988160ae7dd2df36a16062dd39c35ce274c5f375808c286226f5ca91722bca87a525ba0310b8dc1daeb234b1

Download Submit
\PerfLogs\Admin\data.exe

Filesize
176KB

MD5
8a80ee7bb87fb27e8b464afc8d2c023b

SHA1
06e385afa2fc3161e58955c5bee15961e8c4097c

SHA256
b5e91ef8f4ccd22bca19764bbbf4abba7b80812f432ebda81a73ac2d7596552d

SHA512
c22835e13dd3cd6626b63a4d257a54e53f6ec04c988160ae7dd2df36a16062dd39c35ce274c5f375808c286226f5ca91722bca87a525ba0310b8dc1daeb234b1

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
d961ecbeb74ba0909bc97748b7a4e14e

SHA1
a1f04293f71031710cd962c3ddb8c69ae0088337

SHA256
24a065a58965384c665537baa545b1acdfe85145ca859e04f9d0258441f9c8ae

SHA512
5efe532d2c9f08a56f780c220623591a02e69fd269153ef8303da4fe18cdca823d03743f954f491da015d76fa72fe6bf6ca99505effcce5308497c96711a0121

Download Submit
\PerfLogs\backup.exe

Filesize
176KB

MD5
d961ecbeb74ba0909bc97748b7a4e14e

SHA1
a1f04293f71031710cd962c3ddb8c69ae0088337

SHA256
24a065a58965384c665537baa545b1acdfe85145ca859e04f9d0258441f9c8ae

SHA512
5efe532d2c9f08a56f780c220623591a02e69fd269153ef8303da4fe18cdca823d03743f954f491da015d76fa72fe6bf6ca99505effcce5308497c96711a0121

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
cbd46c31b13d49790642e96502d69362

SHA1
bffc2aeeaa5a387abfc48d512493af1a78c4129b

SHA256
06a63ebd92ffe3801f8a422e3fee41629f63c92f9a8a3d500b194198ef09c6ad

SHA512
9c440ebc890d1543e9b404b11970d4cfc29180d57dad01eaa03cd7c5cc1d34b63d71b81d33cd0ac6f88acee83c0df3e0d3ad99f1ad584751197e392729a39ad0

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
176KB

MD5
cbd46c31b13d49790642e96502d69362

SHA1
bffc2aeeaa5a387abfc48d512493af1a78c4129b

SHA256
06a63ebd92ffe3801f8a422e3fee41629f63c92f9a8a3d500b194198ef09c6ad

SHA512
9c440ebc890d1543e9b404b11970d4cfc29180d57dad01eaa03cd7c5cc1d34b63d71b81d33cd0ac6f88acee83c0df3e0d3ad99f1ad584751197e392729a39ad0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
0cff28e0d850873e4892740cec7853eb

SHA1
7f0738269d391181bb3823e4fdd7ca91bac58c57

SHA256
3b40e02f4383c3f8cac2f23acc28c32b80932cc978a0e3b78d6fc89869b32470

SHA512
00f0f52a7261152579ed1083b2310fcc381f44d70dda9ae008966ab86e2796224ff839216234115141eb06c608d21ab736fb623ebfbabf3f21fd3e55761c5d49

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
176KB

MD5
0cff28e0d850873e4892740cec7853eb

SHA1
7f0738269d391181bb3823e4fdd7ca91bac58c57

SHA256
3b40e02f4383c3f8cac2f23acc28c32b80932cc978a0e3b78d6fc89869b32470

SHA512
00f0f52a7261152579ed1083b2310fcc381f44d70dda9ae008966ab86e2796224ff839216234115141eb06c608d21ab736fb623ebfbabf3f21fd3e55761c5d49

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
176KB

MD5
5ecda8de4c77d049ae58acadbecf4056

SHA1
3090c6cbb928828fc5e2aadb7ac0498593355a00

SHA256
5d599697080f5332c69ca2afa35a68aae01a3e0814b5d54b9d42f10b1c38edb2

SHA512
f9f9518c3e4d76821256054d043d4dff3722e0a09b7adc1e3b5e0af0330f1c0b82d91073c683d5817a7c2e9f9d1ea0d0d9788dc3897dd6e9f2720c5aafa3ef4f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
176KB

MD5
2fc56a1f73a96d234a4cceadfdbff0d6

SHA1
38b44681b8992f46d8446b93ec8ec0dcd7bf2e07

SHA256
f62cd0c66f926695fec5e9e0844598c7d9a8b1864297c6e66e2bfe0693b4d982

SHA512
3e1ea6583c9ac93f50ab4732d9ddb6900af07b7b445aca29d2abf3b95f7cc2972fe67d37d88d8e0191971e17296194bef9a1174cd1d49e198a7443e31cf46ad1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
176KB

MD5
3f3612814eaa38ab811abd72e25e1cc9

SHA1
c115206668d43d248d928e9dff5aaa7d360cadc9

SHA256
4fd51f7a6440aa68943403ae96d1d75428ed4a59526cc238440269ec1339b1c8

SHA512
af6b27e2a9161c58ddba21271dcb306b3e3d95c55dacb45819ed799812423a268401170e96c6bdd6cc646dff896d0c70bcd76e5c0c8aec70deb2294cf15ad26f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
176KB

MD5
ec035dc12972045711d2010e79799f75

SHA1
f33db72f3f137e1bc0abb49d5dc1bbb259c20bb4

SHA256
3fe698514552b12d7207770df6ae37142ab524c235afc51a2517f921183fa2d9

SHA512
70b0e1aeb9b6f8b223475431494b0dc16776d12433b573acc500db4ce0f12e86715426815b99f09f23ced61cbaafbc79bfbbf2e8b356bf76436ed11d3b8b25c4

Download Submit
\Program Files\System Restore.exe

Filesize
176KB

MD5
312275863ea6a60f9a7e2eb121cf2a63

SHA1
2d7cc1dfbdaec8cd9f35204a4659ca1deb49e5ec

SHA256
716b2d59c66b7426103ee62f21f940e804fa79ff276b25a9d70390d13cfa6d78

SHA512
353afc4b80ab53b8e7cbde0494eaa847a52fe19545de5582154f89398d3f64f940ece23072cf434381ce16e93a4508d7b5b5a69126141f7c4cfe979cbd8777aa

Download Submit
\Program Files\System Restore.exe

Filesize
176KB

MD5
312275863ea6a60f9a7e2eb121cf2a63

SHA1
2d7cc1dfbdaec8cd9f35204a4659ca1deb49e5ec

SHA256
716b2d59c66b7426103ee62f21f940e804fa79ff276b25a9d70390d13cfa6d78

SHA512
353afc4b80ab53b8e7cbde0494eaa847a52fe19545de5582154f89398d3f64f940ece23072cf434381ce16e93a4508d7b5b5a69126141f7c4cfe979cbd8777aa

Download Submit
\Users\Admin\AppData\Local\Temp\168672966\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\168672966\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
176KB

MD5
1b5707b7746b2424e40324e7ae726aca

SHA1
28354ddd0bcb87f05ec039073dc5215523eb43a8

SHA256
31e05feadc3c8e48b711fb084b8c26ba016afa1dfae3f4dde94b0aa63ffe30d4

SHA512
a5565a5e51dcc0edbba2b8933d3418c4fcb03fd7b79b12f665255cf1a5dea98f02e9d41798ec93b1c1b8ccd2b84e2341e51bfe3ff0968fd5336f5159d1ea0bc8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
176KB

MD5
7599783db6da0a3d5c1eea2066ccf312

SHA1
62b28876053569c5a8591f28da7446ad91378f0b

SHA256
397b019f5cbcd2410f35cf3b91b963eae4b0492f345df2dc7659dae9ede0f6ce

SHA512
cbf9130d5ab7fc8ef966b6c2e8ad1f21987c9216225db2b7b4422077d9c2b8c68b693ec48089fe151e3f3f544c92873478f04b6418c0b2ba861983cc354904f2

Download Submit
memory/340-273-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/984-183-0x0000000000790000-0x00000000007BC000-memory.dmp

Filesize
176KB

Download
memory/984-181-0x0000000000790000-0x00000000007BC000-memory.dmp

Filesize
176KB

Download
memory/984-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-188-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1276-291-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-322-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1340-297-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-256-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1340-287-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1340-288-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1524-260-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1624-231-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1652-213-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/1652-170-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1652-114-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/1652-103-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1652-156-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/1652-153-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/1700-326-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1968-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2016-282-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2080-269-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2080-236-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/2080-224-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/2156-102-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2156-113-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-198-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2156-127-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2156-11-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-154-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2156-129-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-83-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-84-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-35-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-159-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-77-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2156-24-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2292-168-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2292-100-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2292-98-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2292-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2292-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2484-301-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2536-87-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-318-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2604-195-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/2604-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2604-215-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2656-359-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/2664-93-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2672-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2776-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2788-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2936-211-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/2936-200-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2936-268-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/2936-210-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/2936-255-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3028-309-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads