3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce

Analysis

max time kernel
152s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
Size

72KB
MD5

60d0357391a611b13a230cbb3a3533dc
SHA1

94e02260ec1fd20c05c92c10a12516d0df92e2bd
SHA256

3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce
SHA512

92c2039405be82327b0d8a05216cc43155da537c9a38c314c6773d292dcbcfe562b88b394e6d8f439a0c5ab083e3c56f65d4f42bbd83f6ed0df2722f39c5be7a
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2s:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrQ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1252	backup.exe
676	backup.exe
552	backup.exe
1744	backup.exe
1612	backup.exe
828	backup.exe
360	backup.exe
1624	backup.exe
1276	backup.exe
1268	backup.exe
2004	backup.exe
1964	backup.exe
600	backup.exe
1348	update.exe
2044	update.exe
1552	backup.exe
388	backup.exe
1908	backup.exe
1492	backup.exe
1072	backup.exe
1844	update.exe
1612	backup.exe
1120	backup.exe
1888	backup.exe
1400	data.exe
1568	backup.exe
1596	backup.exe
1768	data.exe
1260	System Restore.exe
1228	data.exe
436	backup.exe
1936	backup.exe
1968	backup.exe
964	backup.exe
1780	backup.exe
1056	backup.exe
1932	backup.exe
1580	backup.exe
1332	backup.exe
1736	backup.exe
1188	backup.exe
1684	backup.exe
1628	backup.exe
568	backup.exe
1700	backup.exe
976	backup.exe
1948	backup.exe
828	backup.exe
1644	backup.exe
108	data.exe
1536	backup.exe
1984	backup.exe
820	backup.exe
1768	backup.exe
1140	backup.exe
1720	backup.exe
1940	backup.exe
436	backup.exe
1936	backup.exe
984	backup.exe
964	backup.exe
604	System Restore.exe
1132	backup.exe
1516	data.exe

Loads dropped DLL 64 IoCs

pid	Process
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1624	backup.exe
1624	backup.exe
1276	backup.exe
1276	backup.exe
1624	backup.exe
1624	backup.exe
2004	backup.exe
2004	backup.exe
1964	backup.exe
1964	backup.exe
2004	backup.exe
1348	update.exe
1348	update.exe
1348	update.exe
1348	update.exe
2044	update.exe
2044	update.exe
2044	update.exe
2044	update.exe
2044	update.exe
1552	backup.exe
1552	backup.exe
1552	backup.exe
2044	update.exe
2044	update.exe
388	backup.exe
388	backup.exe
388	backup.exe
388	backup.exe
388	backup.exe
1908	backup.exe
1908	backup.exe
1908	backup.exe
388	backup.exe
388	backup.exe
1492	backup.exe
1492	backup.exe
1492	backup.exe
388	backup.exe
388	backup.exe
1072	backup.exe
1072	backup.exe
1072	backup.exe
388	backup.exe
1844	update.exe
1844	update.exe
1844	update.exe
388	backup.exe
388	backup.exe
1612	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\data.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
1252	backup.exe
676	backup.exe
552	backup.exe
1744	backup.exe
1612	backup.exe
828	backup.exe
360	backup.exe
1624	backup.exe
1276	backup.exe
1268	backup.exe
2004	backup.exe
1964	backup.exe
600	backup.exe
1348	update.exe
2044	update.exe
1552	backup.exe
388	backup.exe
1908	backup.exe
1492	backup.exe
1072	backup.exe
1844	update.exe
1612	backup.exe
1120	backup.exe
1888	backup.exe
1400	data.exe
1568	backup.exe
1596	backup.exe
1768	data.exe
1260	System Restore.exe
1228	data.exe
436	backup.exe
1936	backup.exe
1968	backup.exe
964	backup.exe
1780	backup.exe
1056	backup.exe
1580	backup.exe
1932	backup.exe
1332	backup.exe
1736	backup.exe
1188	backup.exe
1684	backup.exe
1628	backup.exe
568	backup.exe
976	backup.exe
1700	backup.exe
1644	backup.exe
828	backup.exe
108	data.exe
1536	backup.exe
1984	backup.exe
820	backup.exe
1140	backup.exe
1720	backup.exe
1768	backup.exe
436	backup.exe
1940	backup.exe
1936	backup.exe
984	backup.exe
964	backup.exe
604	System Restore.exe
1132	backup.exe
1516	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1252	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	27
PID 1732 wrote to memory of 1252	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	27
PID 1732 wrote to memory of 1252	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	27
PID 1732 wrote to memory of 1252	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	27
PID 1732 wrote to memory of 676	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	28
PID 1732 wrote to memory of 676	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	28
PID 1732 wrote to memory of 676	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	28
PID 1732 wrote to memory of 676	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	28
PID 1732 wrote to memory of 552	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	29
PID 1732 wrote to memory of 552	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	29
PID 1732 wrote to memory of 552	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	29
PID 1732 wrote to memory of 552	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	29
PID 1732 wrote to memory of 1744	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	30
PID 1732 wrote to memory of 1744	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	30
PID 1732 wrote to memory of 1744	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	30
PID 1732 wrote to memory of 1744	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	30
PID 1732 wrote to memory of 1612	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	31
PID 1732 wrote to memory of 1612	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	31
PID 1732 wrote to memory of 1612	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	31
PID 1732 wrote to memory of 1612	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	31
PID 1732 wrote to memory of 828	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	32
PID 1732 wrote to memory of 828	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	32
PID 1732 wrote to memory of 828	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	32
PID 1732 wrote to memory of 828	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	32
PID 1732 wrote to memory of 360	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	33
PID 1732 wrote to memory of 360	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	33
PID 1732 wrote to memory of 360	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	33
PID 1732 wrote to memory of 360	1732	3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe	33
PID 1252 wrote to memory of 1624	1252	backup.exe	34
PID 1252 wrote to memory of 1624	1252	backup.exe	34
PID 1252 wrote to memory of 1624	1252	backup.exe	34
PID 1252 wrote to memory of 1624	1252	backup.exe	34
PID 1624 wrote to memory of 1276	1624	backup.exe	35
PID 1624 wrote to memory of 1276	1624	backup.exe	35
PID 1624 wrote to memory of 1276	1624	backup.exe	35
PID 1624 wrote to memory of 1276	1624	backup.exe	35
PID 1276 wrote to memory of 1268	1276	backup.exe	36
PID 1276 wrote to memory of 1268	1276	backup.exe	36
PID 1276 wrote to memory of 1268	1276	backup.exe	36
PID 1276 wrote to memory of 1268	1276	backup.exe	36
PID 1624 wrote to memory of 2004	1624	backup.exe	37
PID 1624 wrote to memory of 2004	1624	backup.exe	37
PID 1624 wrote to memory of 2004	1624	backup.exe	37
PID 1624 wrote to memory of 2004	1624	backup.exe	37
PID 2004 wrote to memory of 1964	2004	backup.exe	38
PID 2004 wrote to memory of 1964	2004	backup.exe	38
PID 2004 wrote to memory of 1964	2004	backup.exe	38
PID 2004 wrote to memory of 1964	2004	backup.exe	38
PID 1964 wrote to memory of 600	1964	backup.exe	39
PID 1964 wrote to memory of 600	1964	backup.exe	39
PID 1964 wrote to memory of 600	1964	backup.exe	39
PID 1964 wrote to memory of 600	1964	backup.exe	39
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 2004 wrote to memory of 1348	2004	backup.exe	40
PID 1348 wrote to memory of 2044	1348	update.exe	41
PID 1348 wrote to memory of 2044	1348	update.exe	41
PID 1348 wrote to memory of 2044	1348	update.exe	41
PID 1348 wrote to memory of 2044	1348	update.exe	41
PID 1348 wrote to memory of 2044	1348	update.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe
"C:\Users\Admin\AppData\Local\Temp\3f4ffeb44a1db73b183f339ac6c405ff9800df2c5398e4f244c90e68c01041ce.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\1588059977\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1588059977\backup.exe C:\Users\Admin\AppData\Local\Temp\1588059977\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1252
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1624
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1276
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2004
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:600
    - - C:\Program Files\Common Files\update.exe
        
        "C:\Program Files\Common Files\update.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1400
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:2612
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:660
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2096
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2236
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        
        PID:1948
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:960
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1276
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:976
        
        C:\Program Files\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:276
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1648
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Disables RegEdit via registry modification
        
        PID:860
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:820
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2196
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2336
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2492
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2640
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1736
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1720
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1516
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1264
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:904
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1516
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:920
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:2076
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2264
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2420
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2576
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:952
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1320
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1768
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:1488
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:828
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1588
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1944
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1320
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:368
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2188
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:2344
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2476
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1720
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1256
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1268
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:660
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2700
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        System policy modification
        
        PID:960
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1152
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2204
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2352
    - - C:\Program Files\Reference Assemblies\update.exe
        
        "C:\Program Files\Reference Assemblies\update.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2484
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2632
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1580
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Program Files (x86)\Adobe\Reader 9.0\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1324
    - - C:\Program Files (x86)\Common Files\data.exe
        
        "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1532
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1092
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:964
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2068
      - C:\Program Files (x86)\Common Files\SpeechEngines\data.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\data.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2256
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2436
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1008
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2444
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2604
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:688
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1928
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:360
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2380
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2532
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2684
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1816
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1400
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1292
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1936
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1256
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1596
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:604
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1348
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1060
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2180
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2324
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2512
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2652
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1856
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2052
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2216
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2388
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2540
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2672
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1964
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:676
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:552
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:828
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ab6264ff4946fcca3632f006a8a3d961

SHA1
65b30e4a692cd7c299b6a859cfed71da82a11935

SHA256
19b16010de3979d94000784047f2dbdc6a4f6ad1e638a90fcfa38ee2b7a6747e

SHA512
98ca2ded8111e5669ddc704a058c0532dee82b13af9de828dd32c78d6c7856643953e9dffde94b48d82f385c546ec8bb57a3f13f489dca91f95a42d47c6109d2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1338f84b38774f8a5ff7b804bfbb63f0

SHA1
a5376755d4f3a4a57b4d7ba7730a20744ca128d2

SHA256
08307327a055011fbb67c54a025909476b454002a0ac09e3e98ca5d00de9321e

SHA512
0719a170ad87a5ff0ab18a1cc0ce3ac487b976abc300d6c0059a01ac928cb990f39f4b9862d8b129f734aa91a30c1cb1682734daed00beee8da99a9aead6edbe

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1338f84b38774f8a5ff7b804bfbb63f0

SHA1
a5376755d4f3a4a57b4d7ba7730a20744ca128d2

SHA256
08307327a055011fbb67c54a025909476b454002a0ac09e3e98ca5d00de9321e

SHA512
0719a170ad87a5ff0ab18a1cc0ce3ac487b976abc300d6c0059a01ac928cb990f39f4b9862d8b129f734aa91a30c1cb1682734daed00beee8da99a9aead6edbe

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f553d81cb496fa2ad3d925d0769c00f6

SHA1
c9594cd26912773791c0128bc815d3bd00309832

SHA256
9b1de6d7f6136b31902f5e5a0b8329acc91f11df973f84dfff11235c20f61f3d

SHA512
20d5b3791bb6f5f41d9e7c7607f68e0f77bd59f9bc6b10920d547e9d11b51cbaa2b1f615b71cb9b2c2af4796fdb51b5f0fd664e914b977230649f552dfb7af1d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6128469007960d98b1604afd9f564cb6

SHA1
b662cb2130d21be8a60b52a5d21cc3bca9b1fe0b

SHA256
e91d65301c88a0c88098477b9d0abd82f4e556897f816fb414f4d03d85423295

SHA512
30c4f8d79156004f3143fea00f5f82aa148f41d708ca71f3fd5a8cfaafd5d6a83e966cc4fd1fdf819db309b49c848a4303880b02be489240edf54a546910ff9c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6128469007960d98b1604afd9f564cb6

SHA1
b662cb2130d21be8a60b52a5d21cc3bca9b1fe0b

SHA256
e91d65301c88a0c88098477b9d0abd82f4e556897f816fb414f4d03d85423295

SHA512
30c4f8d79156004f3143fea00f5f82aa148f41d708ca71f3fd5a8cfaafd5d6a83e966cc4fd1fdf819db309b49c848a4303880b02be489240edf54a546910ff9c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb53bc50e945d5e434d3ec54dfc011f9

SHA1
4ac5ed6746d5a80ffb05a488d750144f75dc33dc

SHA256
e6f4255ce2bc25c760f77e89c27a5b011e5d1b2456fcb2697c0ae1b53c78680d

SHA512
b8c5d41e6aa1587fcde24dee130ef9c6ecad3c9c0d8e0aa4b654c3f027e49c290f54a98cc2ce83c91431d7b513d713b2d2b0fbfb29814ef47e3904a7537f07c7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ad4c796657bbc85dcbc86da770fa4ff

SHA1
c10ce2112dec3d9fee79e8b2409f9a706f0316d0

SHA256
67d36343f42998fae637bcdef0dc9b2334799087306f2d52b60d9b1e3450dbda

SHA512
67e097582a00b36387bd3fc969a763c3b5871642363522cf07d09a2765112dc289626c08c91d4d27186c751933ac8beac9532c484272188f092037973b606939

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ad4c796657bbc85dcbc86da770fa4ff

SHA1
c10ce2112dec3d9fee79e8b2409f9a706f0316d0

SHA256
67d36343f42998fae637bcdef0dc9b2334799087306f2d52b60d9b1e3450dbda

SHA512
67e097582a00b36387bd3fc969a763c3b5871642363522cf07d09a2765112dc289626c08c91d4d27186c751933ac8beac9532c484272188f092037973b606939

Download Submit
C:\Users\Admin\AppData\Local\Temp\1588059977\backup.exe

Filesize
72KB

MD5
18e4e7736c62709bca3669d3b48b9355

SHA1
ecec9a687c27f6296c088f6abc0c265124072839

SHA256
11be00893b51130fb4c70db5d000fca6368e414a801afa4266749d3e47cd2b82

SHA512
8f6c207452afb78c32124d30971a0278affe092e7861291eefe8f02a40c789994872a370d9eaaabf0e16ae3562a71021b8c3ff33b9d84350decf871f917b84fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1588059977\backup.exe

Filesize
72KB

MD5
18e4e7736c62709bca3669d3b48b9355

SHA1
ecec9a687c27f6296c088f6abc0c265124072839

SHA256
11be00893b51130fb4c70db5d000fca6368e414a801afa4266749d3e47cd2b82

SHA512
8f6c207452afb78c32124d30971a0278affe092e7861291eefe8f02a40c789994872a370d9eaaabf0e16ae3562a71021b8c3ff33b9d84350decf871f917b84fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7174f28892370d698c35ae5734d2c6be

SHA1
ea9b4d96c32f2e9480c2e39bff34f6693e2813be

SHA256
a35bfdaf5972d979b591f6b5375fe0396f3e1b08f1d08927e587e1356d4954e5

SHA512
0692a94cbc07144b910d48238e1ab811e89cfce370cc9d694179d151b8abc231569a9af0ed8d8c037af3ba929065f74b3c6fbe60a0a7f1f192346b38a87e38c9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7174f28892370d698c35ae5734d2c6be

SHA1
ea9b4d96c32f2e9480c2e39bff34f6693e2813be

SHA256
a35bfdaf5972d979b591f6b5375fe0396f3e1b08f1d08927e587e1356d4954e5

SHA512
0692a94cbc07144b910d48238e1ab811e89cfce370cc9d694179d151b8abc231569a9af0ed8d8c037af3ba929065f74b3c6fbe60a0a7f1f192346b38a87e38c9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ab6264ff4946fcca3632f006a8a3d961

SHA1
65b30e4a692cd7c299b6a859cfed71da82a11935

SHA256
19b16010de3979d94000784047f2dbdc6a4f6ad1e638a90fcfa38ee2b7a6747e

SHA512
98ca2ded8111e5669ddc704a058c0532dee82b13af9de828dd32c78d6c7856643953e9dffde94b48d82f385c546ec8bb57a3f13f489dca91f95a42d47c6109d2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ab6264ff4946fcca3632f006a8a3d961

SHA1
65b30e4a692cd7c299b6a859cfed71da82a11935

SHA256
19b16010de3979d94000784047f2dbdc6a4f6ad1e638a90fcfa38ee2b7a6747e

SHA512
98ca2ded8111e5669ddc704a058c0532dee82b13af9de828dd32c78d6c7856643953e9dffde94b48d82f385c546ec8bb57a3f13f489dca91f95a42d47c6109d2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
1338f84b38774f8a5ff7b804bfbb63f0

SHA1
a5376755d4f3a4a57b4d7ba7730a20744ca128d2

SHA256
08307327a055011fbb67c54a025909476b454002a0ac09e3e98ca5d00de9321e

SHA512
0719a170ad87a5ff0ab18a1cc0ce3ac487b976abc300d6c0059a01ac928cb990f39f4b9862d8b129f734aa91a30c1cb1682734daed00beee8da99a9aead6edbe

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
1338f84b38774f8a5ff7b804bfbb63f0

SHA1
a5376755d4f3a4a57b4d7ba7730a20744ca128d2

SHA256
08307327a055011fbb67c54a025909476b454002a0ac09e3e98ca5d00de9321e

SHA512
0719a170ad87a5ff0ab18a1cc0ce3ac487b976abc300d6c0059a01ac928cb990f39f4b9862d8b129f734aa91a30c1cb1682734daed00beee8da99a9aead6edbe

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f553d81cb496fa2ad3d925d0769c00f6

SHA1
c9594cd26912773791c0128bc815d3bd00309832

SHA256
9b1de6d7f6136b31902f5e5a0b8329acc91f11df973f84dfff11235c20f61f3d

SHA512
20d5b3791bb6f5f41d9e7c7607f68e0f77bd59f9bc6b10920d547e9d11b51cbaa2b1f615b71cb9b2c2af4796fdb51b5f0fd664e914b977230649f552dfb7af1d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f553d81cb496fa2ad3d925d0769c00f6

SHA1
c9594cd26912773791c0128bc815d3bd00309832

SHA256
9b1de6d7f6136b31902f5e5a0b8329acc91f11df973f84dfff11235c20f61f3d

SHA512
20d5b3791bb6f5f41d9e7c7607f68e0f77bd59f9bc6b10920d547e9d11b51cbaa2b1f615b71cb9b2c2af4796fdb51b5f0fd664e914b977230649f552dfb7af1d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6128469007960d98b1604afd9f564cb6

SHA1
b662cb2130d21be8a60b52a5d21cc3bca9b1fe0b

SHA256
e91d65301c88a0c88098477b9d0abd82f4e556897f816fb414f4d03d85423295

SHA512
30c4f8d79156004f3143fea00f5f82aa148f41d708ca71f3fd5a8cfaafd5d6a83e966cc4fd1fdf819db309b49c848a4303880b02be489240edf54a546910ff9c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6128469007960d98b1604afd9f564cb6

SHA1
b662cb2130d21be8a60b52a5d21cc3bca9b1fe0b

SHA256
e91d65301c88a0c88098477b9d0abd82f4e556897f816fb414f4d03d85423295

SHA512
30c4f8d79156004f3143fea00f5f82aa148f41d708ca71f3fd5a8cfaafd5d6a83e966cc4fd1fdf819db309b49c848a4303880b02be489240edf54a546910ff9c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
4476e2f6edcecf4af7300bdba5e40327

SHA1
0fedd17f92b056d5d71e1c46d432467719780a79

SHA256
5c76e3431311d4326907438f2bdb453e518308bfa603de7ca49c92a667ea0ad6

SHA512
cddaf41f54f53469533c1cd0be709c16515eae18d7915fb20c2bfc6a93d4496878f691c88fd1a4ca88d5155caf49fc983d84746b94d8e23fea6be7ea53f3fd0a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb53bc50e945d5e434d3ec54dfc011f9

SHA1
4ac5ed6746d5a80ffb05a488d750144f75dc33dc

SHA256
e6f4255ce2bc25c760f77e89c27a5b011e5d1b2456fcb2697c0ae1b53c78680d

SHA512
b8c5d41e6aa1587fcde24dee130ef9c6ecad3c9c0d8e0aa4b654c3f027e49c290f54a98cc2ce83c91431d7b513d713b2d2b0fbfb29814ef47e3904a7537f07c7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fb53bc50e945d5e434d3ec54dfc011f9

SHA1
4ac5ed6746d5a80ffb05a488d750144f75dc33dc

SHA256
e6f4255ce2bc25c760f77e89c27a5b011e5d1b2456fcb2697c0ae1b53c78680d

SHA512
b8c5d41e6aa1587fcde24dee130ef9c6ecad3c9c0d8e0aa4b654c3f027e49c290f54a98cc2ce83c91431d7b513d713b2d2b0fbfb29814ef47e3904a7537f07c7

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
e02fc77d31691dade1f69e0301830868

SHA1
71a1ebf3b9b5a6289616f29fa13532c1ee9b7647

SHA256
cbdba192764c01c7920fa4de1020583797e43358ff1ef6ce9fd3ed02aee04e4f

SHA512
ed94d4b3042fb56139d4046bdbbaf7732cf06b4daf133d59c9f76ff059cff138069fc10edf00b815929c137f479fcc98ee330e7e1df72ff8a272b0370139124d

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
\Program Files\Common Files\update.exe

Filesize
72KB

MD5
0627acda546feb19c588c39c0d5e5805

SHA1
0daae6d61c3bc39f8776f0bdf4de223c3b42495f

SHA256
30b2a4847e2f4006fadd7ffffa34388641a92c9014ef63bcedc20697bdebe2c7

SHA512
462f786280a0354a3f7942beeb35bc4d3d702de03175f2e26a15cfdeeced4a5ac71214cca92e33df96d0fd73edd726e8fb2eb09eca5e68bd64db1f2f8a549e52

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ad4c796657bbc85dcbc86da770fa4ff

SHA1
c10ce2112dec3d9fee79e8b2409f9a706f0316d0

SHA256
67d36343f42998fae637bcdef0dc9b2334799087306f2d52b60d9b1e3450dbda

SHA512
67e097582a00b36387bd3fc969a763c3b5871642363522cf07d09a2765112dc289626c08c91d4d27186c751933ac8beac9532c484272188f092037973b606939

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ad4c796657bbc85dcbc86da770fa4ff

SHA1
c10ce2112dec3d9fee79e8b2409f9a706f0316d0

SHA256
67d36343f42998fae637bcdef0dc9b2334799087306f2d52b60d9b1e3450dbda

SHA512
67e097582a00b36387bd3fc969a763c3b5871642363522cf07d09a2765112dc289626c08c91d4d27186c751933ac8beac9532c484272188f092037973b606939

Download Submit
\Users\Admin\AppData\Local\Temp\1588059977\backup.exe

Filesize
72KB

MD5
18e4e7736c62709bca3669d3b48b9355

SHA1
ecec9a687c27f6296c088f6abc0c265124072839

SHA256
11be00893b51130fb4c70db5d000fca6368e414a801afa4266749d3e47cd2b82

SHA512
8f6c207452afb78c32124d30971a0278affe092e7861291eefe8f02a40c789994872a370d9eaaabf0e16ae3562a71021b8c3ff33b9d84350decf871f917b84fd

Download Submit
\Users\Admin\AppData\Local\Temp\1588059977\backup.exe

Filesize
72KB

MD5
18e4e7736c62709bca3669d3b48b9355

SHA1
ecec9a687c27f6296c088f6abc0c265124072839

SHA256
11be00893b51130fb4c70db5d000fca6368e414a801afa4266749d3e47cd2b82

SHA512
8f6c207452afb78c32124d30971a0278affe092e7861291eefe8f02a40c789994872a370d9eaaabf0e16ae3562a71021b8c3ff33b9d84350decf871f917b84fd

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a70b4297606ca93cb78e03db53a8dfb6

SHA1
d0149380dc05fbddf9595296d19727ee4a156361

SHA256
f50662bef421759330ae14eef28c9164909807fcffb10ea5c9c20b51b598ed9e

SHA512
99c02e0a55a64b226ef9c04e5997bdb0cc3d33fe344ec01282f9d30d25909b5549be8403cc7e11a8dfcc8a2be81dd05759690a363ee25f1813939962b15a1aad

Download Submit
memory/1732-98-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1732-105-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads