cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8

Analysis

max time kernel
151s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
Size

72KB
MD5

741938670b993ba36349e3fc39160d7d
SHA1

c6a70f17da34f948b3b01850b53990f5026f35af
SHA256

cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8
SHA512

a50c70691def51e87929061ba47c232597ffa1bc5995eda3aa942fd7e3462e293e322d3afd8307b5ce1370f6e454c00095dc3a85ce32b5c2a5f89662c7e8baea
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2/:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrT

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
696	backup.exe
764	backup.exe
1796	backup.exe
1740	backup.exe
992	backup.exe
1964	backup.exe
672	update.exe
1184	backup.exe
1924	backup.exe
908	backup.exe
1552	backup.exe
1516	backup.exe
1680	backup.exe
1640	backup.exe
1000	backup.exe
1224	backup.exe
1756	backup.exe
1596	backup.exe
1536	backup.exe
112	backup.exe
1936	backup.exe
800	backup.exe
1752	backup.exe
1568	backup.exe
1732	backup.exe
992	backup.exe
588	backup.exe
1704	backup.exe
1208	backup.exe
2028	backup.exe
1844	backup.exe
672	backup.exe
900	backup.exe
1972	backup.exe
1924	backup.exe
1616	backup.exe
576	backup.exe
1484	backup.exe
1608	data.exe
1308	data.exe
1160	backup.exe
1632	backup.exe
1376	backup.exe
1224	backup.exe
1088	backup.exe
624	backup.exe
1592	backup.exe
1144	backup.exe
1464	backup.exe
1108	backup.exe
1860	backup.exe
792	backup.exe
1724	backup.exe
972	backup.exe
1696	backup.exe
652	backup.exe
1964	backup.exe
1720	backup.exe
1600	backup.exe
1204	backup.exe
1532	backup.exe
632	backup.exe
1544	backup.exe
1320	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
672	update.exe
672	update.exe
672	update.exe
1184	backup.exe
1184	backup.exe
1924	backup.exe
1924	backup.exe
1184	backup.exe
1184	backup.exe
1552	backup.exe
1552	backup.exe
1516	backup.exe
1516	backup.exe
1552	backup.exe
1552	backup.exe
1640	backup.exe
1640	backup.exe
1000	backup.exe
1000	backup.exe
1000	backup.exe
1000	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1756	backup.exe
1208	backup.exe
1208	backup.exe
1208	backup.exe
1208	backup.exe
1208	backup.exe
1208	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\VideoLAN\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\System Restore.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
696	backup.exe
764	backup.exe
1796	backup.exe
1740	backup.exe
992	backup.exe
1964	backup.exe
1184	backup.exe
672	update.exe
1924	backup.exe
908	backup.exe
1552	backup.exe
1516	backup.exe
1680	backup.exe
1640	backup.exe
1000	backup.exe
1224	backup.exe
1756	backup.exe
1596	backup.exe
1536	backup.exe
112	backup.exe
1936	backup.exe
800	backup.exe
1752	backup.exe
1568	backup.exe
1732	backup.exe
992	backup.exe
588	backup.exe
1704	backup.exe
1208	backup.exe
2028	backup.exe
1844	backup.exe
672	backup.exe
900	backup.exe
1972	backup.exe
1924	backup.exe
1616	backup.exe
576	backup.exe
1484	backup.exe
1608	data.exe
1308	data.exe
1160	backup.exe
1632	backup.exe
1376	backup.exe
1224	backup.exe
1088	backup.exe
624	backup.exe
1592	backup.exe
1144	backup.exe
1464	backup.exe
1108	backup.exe
1860	backup.exe
792	backup.exe
1724	backup.exe
972	backup.exe
1696	backup.exe
652	backup.exe
1964	backup.exe
1720	backup.exe
1600	backup.exe
1204	backup.exe
1532	backup.exe
632	backup.exe
1544	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 696	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	26
PID 1504 wrote to memory of 696	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	26
PID 1504 wrote to memory of 696	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	26
PID 1504 wrote to memory of 696	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	26
PID 1504 wrote to memory of 764	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	27
PID 1504 wrote to memory of 764	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	27
PID 1504 wrote to memory of 764	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	27
PID 1504 wrote to memory of 764	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	27
PID 1504 wrote to memory of 1796	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	28
PID 1504 wrote to memory of 1796	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	28
PID 1504 wrote to memory of 1796	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	28
PID 1504 wrote to memory of 1796	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	28
PID 1504 wrote to memory of 1740	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	29
PID 1504 wrote to memory of 1740	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	29
PID 1504 wrote to memory of 1740	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	29
PID 1504 wrote to memory of 1740	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	29
PID 1504 wrote to memory of 992	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	30
PID 1504 wrote to memory of 992	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	30
PID 1504 wrote to memory of 992	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	30
PID 1504 wrote to memory of 992	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	30
PID 1504 wrote to memory of 1964	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	31
PID 1504 wrote to memory of 1964	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	31
PID 1504 wrote to memory of 1964	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	31
PID 1504 wrote to memory of 1964	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	31
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 1504 wrote to memory of 672	1504	cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe	32
PID 696 wrote to memory of 1184	696	backup.exe	33
PID 696 wrote to memory of 1184	696	backup.exe	33
PID 696 wrote to memory of 1184	696	backup.exe	33
PID 696 wrote to memory of 1184	696	backup.exe	33
PID 1184 wrote to memory of 1924	1184	backup.exe	34
PID 1184 wrote to memory of 1924	1184	backup.exe	34
PID 1184 wrote to memory of 1924	1184	backup.exe	34
PID 1184 wrote to memory of 1924	1184	backup.exe	34
PID 1924 wrote to memory of 908	1924	backup.exe	35
PID 1924 wrote to memory of 908	1924	backup.exe	35
PID 1924 wrote to memory of 908	1924	backup.exe	35
PID 1924 wrote to memory of 908	1924	backup.exe	35
PID 1184 wrote to memory of 1552	1184	backup.exe	36
PID 1184 wrote to memory of 1552	1184	backup.exe	36
PID 1184 wrote to memory of 1552	1184	backup.exe	36
PID 1184 wrote to memory of 1552	1184	backup.exe	36
PID 1552 wrote to memory of 1516	1552	backup.exe	37
PID 1552 wrote to memory of 1516	1552	backup.exe	37
PID 1552 wrote to memory of 1516	1552	backup.exe	37
PID 1552 wrote to memory of 1516	1552	backup.exe	37
PID 1516 wrote to memory of 1680	1516	backup.exe	38
PID 1516 wrote to memory of 1680	1516	backup.exe	38
PID 1516 wrote to memory of 1680	1516	backup.exe	38
PID 1516 wrote to memory of 1680	1516	backup.exe	38
PID 1552 wrote to memory of 1640	1552	backup.exe	39
PID 1552 wrote to memory of 1640	1552	backup.exe	39
PID 1552 wrote to memory of 1640	1552	backup.exe	39
PID 1552 wrote to memory of 1640	1552	backup.exe	39
PID 1640 wrote to memory of 1000	1640	backup.exe	40
PID 1640 wrote to memory of 1000	1640	backup.exe	40
PID 1640 wrote to memory of 1000	1640	backup.exe	40
PID 1640 wrote to memory of 1000	1640	backup.exe	40
PID 1000 wrote to memory of 1224	1000	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe
"C:\Users\Admin\AppData\Local\Temp\cb9216cd4899ebaaf5181504efd23395183bfc5d132d7c64d9d1cc95911137c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\3712913569\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3712913569\backup.exe C:\Users\Admin\AppData\Local\Temp\3712913569\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:696
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1184
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1924
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:776
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1952
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1320
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1484
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1144
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1180
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1284
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Program Files\Common Files\System\en-US\data.exe
        
        "C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1580
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1716
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1144
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:860
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:740
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1540
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1808
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1812
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:652
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:360
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1224
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1940
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:800
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:380
      - C:\Program Files\DVD Maker\Shared\update.exe
        
        "C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1168
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1768
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:1072
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1452
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:112
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1724
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:580
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1532
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:864
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1188
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1772
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1564
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1832
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1724
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1536
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1464
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1532
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:520
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1844
    - - C:\Program Files\MSBuild\data.exe
        
        "C:\Program Files\MSBuild\data.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1484
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1056
    - - C:\Program Files\VideoLAN\update.exe
        
        "C:\Program Files\VideoLAN\update.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1608
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:972
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        System policy modification
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:240
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:112
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1388
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:856
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2012
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:588
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1744
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1616
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1204
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1804
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1680
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:960
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1284
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1284
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1336
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:544
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:672
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1520
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:624
    - - C:\Windows\addins\System Restore.exe
        
        "C:\Windows\addins\System Restore.exe" C:\Windows\addins\
        5⤵
        
        PID:828
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:764
    - - C:\Windows\AppPatch\System Restore.exe
        
        "C:\Windows\AppPatch\System Restore.exe" C:\Windows\AppPatch\
        5⤵
        
        PID:992
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1052
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1460
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:908
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:764
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
8ac76934eb0d5c54de0286a2cb9426da

SHA1
05cffee5a43360ae8d176dcbe7839bd5bda8e7c2

SHA256
cd9913fd260db9c671ff4a129e8ae5d5b6144a7af2e1a16ab5918d3c3fc54609

SHA512
25cf242b97027e6cc5f45c1c396b805f67b051090fc898005c8136ae1b80163c5f11039be50360aced5757971f10887b46dc59c3f5e65334f470bba7142b8054

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
884247823ef06e041e3a3a8f0c57cf76

SHA1
f2239efb9898dd9afff9226614c1209c27c8039d

SHA256
dc9d8c6b1c61ad1b2efc35c58b72405cd3e99c104570cbe063c3d4bc466a116f

SHA512
da03b80717c4426f3b0849c69e78cc58970979157719c66ac3c6ed50d5fce061ebf2e1d753569eddbeea0d261375f6a3781216168f8e8444741942eac92bc082

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
884247823ef06e041e3a3a8f0c57cf76

SHA1
f2239efb9898dd9afff9226614c1209c27c8039d

SHA256
dc9d8c6b1c61ad1b2efc35c58b72405cd3e99c104570cbe063c3d4bc466a116f

SHA512
da03b80717c4426f3b0849c69e78cc58970979157719c66ac3c6ed50d5fce061ebf2e1d753569eddbeea0d261375f6a3781216168f8e8444741942eac92bc082

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
9127a2d82707bccf9434fdafe49834d1

SHA1
02c63c5efd4ffbf1c33858d1931481d5e1ebe373

SHA256
5ea04333da1fea0495ba915199c82c3afd7f3116cee515693a337be9917f325e

SHA512
bb127b72a2054c18ceb207ac8c3d4287bb41d85a9794ea9e1445a428312467bc36e51cac4b8f755edfaf519ac7884bd83594806a81e7b7a30453455474fcc1b5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5da5af6f73a2335d976d274098aeb45a

SHA1
c42f551f2bca7de28d651eaf1571e725963252e9

SHA256
eed06959f2da5ada6688fdb535caf170ebd67a77315d5e6c3572972306f4be58

SHA512
b1239140216c5fd57222d6f90ec1b135bc6b36f9509a5c11192568d418e88086e513819587983baae26843e1a98274bd23e11f34a44ae2d31b14c75958912425

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5da5af6f73a2335d976d274098aeb45a

SHA1
c42f551f2bca7de28d651eaf1571e725963252e9

SHA256
eed06959f2da5ada6688fdb535caf170ebd67a77315d5e6c3572972306f4be58

SHA512
b1239140216c5fd57222d6f90ec1b135bc6b36f9509a5c11192568d418e88086e513819587983baae26843e1a98274bd23e11f34a44ae2d31b14c75958912425

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3712913569\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3712913569\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
C:\backup.exe

Filesize
72KB

MD5
35535af19ce7be9f5b2bd42858b4bb2c

SHA1
f80d5c6143155e6bd2907fd10c6d15048897d550

SHA256
797cb70784584e7db62592c36454b5ccc7358d031f0ebba6553502302288618b

SHA512
68cc3d8c467fbf8065fd3d237708d3e2f8f3c866bd12d66bc96e96b7e8207286d4a3ad6bd8ccf191892f437c3ffab444fd6dcc69287ef95e6bd5c8a6f306e98a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
35535af19ce7be9f5b2bd42858b4bb2c

SHA1
f80d5c6143155e6bd2907fd10c6d15048897d550

SHA256
797cb70784584e7db62592c36454b5ccc7358d031f0ebba6553502302288618b

SHA512
68cc3d8c467fbf8065fd3d237708d3e2f8f3c866bd12d66bc96e96b7e8207286d4a3ad6bd8ccf191892f437c3ffab444fd6dcc69287ef95e6bd5c8a6f306e98a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
8ac76934eb0d5c54de0286a2cb9426da

SHA1
05cffee5a43360ae8d176dcbe7839bd5bda8e7c2

SHA256
cd9913fd260db9c671ff4a129e8ae5d5b6144a7af2e1a16ab5918d3c3fc54609

SHA512
25cf242b97027e6cc5f45c1c396b805f67b051090fc898005c8136ae1b80163c5f11039be50360aced5757971f10887b46dc59c3f5e65334f470bba7142b8054

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
8ac76934eb0d5c54de0286a2cb9426da

SHA1
05cffee5a43360ae8d176dcbe7839bd5bda8e7c2

SHA256
cd9913fd260db9c671ff4a129e8ae5d5b6144a7af2e1a16ab5918d3c3fc54609

SHA512
25cf242b97027e6cc5f45c1c396b805f67b051090fc898005c8136ae1b80163c5f11039be50360aced5757971f10887b46dc59c3f5e65334f470bba7142b8054

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
af7da5b1c992d24cf020716f06ec6529

SHA1
010030a66f67248b5ff171356dff3a6f7257c660

SHA256
8c5b70a0cdc19cae1bd0b1dc5ad874b4d4177c2565786e0cf57f3945e0b223d8

SHA512
e8041ff16fe211f995be6c89e16110a09491674651ab5bf2cca5d8f74c39a438cc038c261dccea2d741268914aa7d0b6a7099ed8d32bb1bc5ed0390979960f81

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
884247823ef06e041e3a3a8f0c57cf76

SHA1
f2239efb9898dd9afff9226614c1209c27c8039d

SHA256
dc9d8c6b1c61ad1b2efc35c58b72405cd3e99c104570cbe063c3d4bc466a116f

SHA512
da03b80717c4426f3b0849c69e78cc58970979157719c66ac3c6ed50d5fce061ebf2e1d753569eddbeea0d261375f6a3781216168f8e8444741942eac92bc082

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
884247823ef06e041e3a3a8f0c57cf76

SHA1
f2239efb9898dd9afff9226614c1209c27c8039d

SHA256
dc9d8c6b1c61ad1b2efc35c58b72405cd3e99c104570cbe063c3d4bc466a116f

SHA512
da03b80717c4426f3b0849c69e78cc58970979157719c66ac3c6ed50d5fce061ebf2e1d753569eddbeea0d261375f6a3781216168f8e8444741942eac92bc082

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
9127a2d82707bccf9434fdafe49834d1

SHA1
02c63c5efd4ffbf1c33858d1931481d5e1ebe373

SHA256
5ea04333da1fea0495ba915199c82c3afd7f3116cee515693a337be9917f325e

SHA512
bb127b72a2054c18ceb207ac8c3d4287bb41d85a9794ea9e1445a428312467bc36e51cac4b8f755edfaf519ac7884bd83594806a81e7b7a30453455474fcc1b5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
9127a2d82707bccf9434fdafe49834d1

SHA1
02c63c5efd4ffbf1c33858d1931481d5e1ebe373

SHA256
5ea04333da1fea0495ba915199c82c3afd7f3116cee515693a337be9917f325e

SHA512
bb127b72a2054c18ceb207ac8c3d4287bb41d85a9794ea9e1445a428312467bc36e51cac4b8f755edfaf519ac7884bd83594806a81e7b7a30453455474fcc1b5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
7312c587edd475e0cf9a4f5ab83e53cd

SHA1
d2d34eb86d39986fc2b2ef3f188865039201d440

SHA256
d9c8eda3c53a9d8a49a0291c4e74d98460590f893c2c235f770a8cd15194feaa

SHA512
21a19da6d302b9c810e5bb3e33e0c02d76b93bc0d0e29aedbf241828184ab43962c5fba5e97e9e00ff2537355abd311c4e9139db3ad49f71507cbf1c6cadbc5d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
9127a2d82707bccf9434fdafe49834d1

SHA1
02c63c5efd4ffbf1c33858d1931481d5e1ebe373

SHA256
5ea04333da1fea0495ba915199c82c3afd7f3116cee515693a337be9917f325e

SHA512
bb127b72a2054c18ceb207ac8c3d4287bb41d85a9794ea9e1445a428312467bc36e51cac4b8f755edfaf519ac7884bd83594806a81e7b7a30453455474fcc1b5

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5da5af6f73a2335d976d274098aeb45a

SHA1
c42f551f2bca7de28d651eaf1571e725963252e9

SHA256
eed06959f2da5ada6688fdb535caf170ebd67a77315d5e6c3572972306f4be58

SHA512
b1239140216c5fd57222d6f90ec1b135bc6b36f9509a5c11192568d418e88086e513819587983baae26843e1a98274bd23e11f34a44ae2d31b14c75958912425

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5da5af6f73a2335d976d274098aeb45a

SHA1
c42f551f2bca7de28d651eaf1571e725963252e9

SHA256
eed06959f2da5ada6688fdb535caf170ebd67a77315d5e6c3572972306f4be58

SHA512
b1239140216c5fd57222d6f90ec1b135bc6b36f9509a5c11192568d418e88086e513819587983baae26843e1a98274bd23e11f34a44ae2d31b14c75958912425

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
aaec6f5942b7a240b18165a7b7de4f30

SHA1
4e3ce4dbc5304cf80f6fb62b8a0cf79811f32898

SHA256
8496959620ed61e715d5c2d77b8b0c36259caa25877c8d89636e3f8f403c6cda

SHA512
024d4bf7e56f1d01f5491cec3f46ffb959a67fc330e533fa07cc4b54fa8671014ef6b5e04094053875fc697cf90b5e72e600bfe6b70e5136f790ade30ce29bd2

Download Submit
\Users\Admin\AppData\Local\Temp\3712913569\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\3712913569\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ba4e0c54d173a41ef11bcb4bc2cb71ef

SHA1
7cd982e4ffbe3ff19db2955c9a939915028cfca7

SHA256
4734474a8a46b117d1483750e4cb3a774f8ed1ecce00abd0b1162e95c4e626cd

SHA512
bf915d3f81c966ebea960f5a7b57b44e48a3e80e8412a0a46e7b65c6ca45926a8cacc8591131b779802230a76c415d9db58f2593fa9578564905b526bbd20de8

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
055088ee9523b8cb467300063b96de7c

SHA1
e3edda23af62ecba0c92f188de4f276508bf3b3a

SHA256
05f485ebf2f40d5e45905b20fb4b58be53eac1675e830f9d83b5027d7a1f449f

SHA512
e1ec320ca48ad1dffbfcb7536e5f9e87bedf5ba42ea2561f590b43875294791a3079c3622c6d0f959edc7f718048d40c546a5da043bb7a6fe8d32142ca777931

Download Submit
memory/672-96-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-185-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads