19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235

Analysis

max time kernel
153s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
Size

72KB
MD5

6e44c39281d61d6db727331c6a2f1bf3
SHA1

4bdd7cd5cfd9f691502cb21680d40db6723c0263
SHA256

19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235
SHA512

81c4fe80b57e726d44af35ae3e588f22459383206b1f5397e068db21f8dee26b97e73365d0ac7563d3c8e18fd03a1852421ff869105fb2eb94e055e5a8f84e70
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2A:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrM

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe

Executes dropped EXE 64 IoCs

pid	Process
1172	backup.exe
1200	backup.exe
1088	backup.exe
2016	backup.exe
2032	backup.exe
1872	backup.exe
456	backup.exe
112	backup.exe
596	backup.exe
2044	backup.exe
1696	backup.exe
1960	update.exe
976	backup.exe
1292	backup.exe
1668	backup.exe
240	backup.exe
336	backup.exe
1580	backup.exe
1316	backup.exe
1136	backup.exe
1052	backup.exe
1776	backup.exe
948	backup.exe
2012	backup.exe
2028	backup.exe
1992	backup.exe
768	backup.exe
1872	backup.exe
1504	backup.exe
1536	backup.exe
1388	backup.exe
1988	update.exe
1168	backup.exe
1468	backup.exe
1464	backup.exe
1728	backup.exe
1264	backup.exe
808	backup.exe
1152	backup.exe
1960	backup.exe
1064	backup.exe
1784	backup.exe
1568	backup.exe
1180	backup.exe
1880	backup.exe
1560	backup.exe
1580	backup.exe
1144	backup.exe
1796	backup.exe
1768	backup.exe
1192	backup.exe
948	backup.exe
696	backup.exe
2028	data.exe
1964	data.exe
1868	backup.exe
804	backup.exe
1536	backup.exe
436	backup.exe
1556	backup.exe
1952	backup.exe
1116	data.exe
1396	backup.exe
1268	System Restore.exe

Loads dropped DLL 64 IoCs

pid	Process
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
2016	backup.exe
2016	backup.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
456	backup.exe
456	backup.exe
2016	backup.exe
2016	backup.exe
1696	backup.exe
1960	update.exe
1960	update.exe
1960	update.exe
1960	update.exe
1960	update.exe
976	backup.exe
976	backup.exe
976	backup.exe
1696	backup.exe
1696	backup.exe
1292	backup.exe
1292	backup.exe
1668	backup.exe
1668	backup.exe
1668	backup.exe
1668	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
2016	backup.exe
2016	backup.exe
336	backup.exe
336	backup.exe
1992	backup.exe
1992	backup.exe
1872	backup.exe
1872	backup.exe
336	backup.exe
336	backup.exe
1504	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\data.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\update.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
1172	backup.exe
1200	backup.exe
1088	backup.exe
2016	backup.exe
2032	backup.exe
1872	backup.exe
456	backup.exe
112	backup.exe
596	backup.exe
2044	backup.exe
1696	backup.exe
1960	update.exe
976	backup.exe
1292	backup.exe
1668	backup.exe
240	backup.exe
336	backup.exe
1580	backup.exe
1316	backup.exe
1136	backup.exe
1052	backup.exe
1776	backup.exe
948	backup.exe
2012	backup.exe
2028	backup.exe
1992	backup.exe
768	backup.exe
1872	backup.exe
1504	backup.exe
1536	backup.exe
1388	backup.exe
1988	update.exe
1168	backup.exe
1468	backup.exe
1464	backup.exe
1728	backup.exe
1264	backup.exe
808	backup.exe
1152	backup.exe
1960	backup.exe
1064	backup.exe
1784	backup.exe
1568	backup.exe
1180	backup.exe
1880	backup.exe
1560	backup.exe
1580	backup.exe
1144	backup.exe
1796	backup.exe
1192	backup.exe
1768	backup.exe
948	backup.exe
696	backup.exe
2028	data.exe
1964	data.exe
1868	backup.exe
804	backup.exe
1536	backup.exe
436	backup.exe
1556	backup.exe
1952	backup.exe
1116	data.exe
1396	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1172	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	26
PID 1976 wrote to memory of 1172	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	26
PID 1976 wrote to memory of 1172	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	26
PID 1976 wrote to memory of 1172	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	26
PID 1976 wrote to memory of 1200	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	27
PID 1976 wrote to memory of 1200	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	27
PID 1976 wrote to memory of 1200	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	27
PID 1976 wrote to memory of 1200	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	27
PID 1976 wrote to memory of 1088	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	28
PID 1976 wrote to memory of 1088	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	28
PID 1976 wrote to memory of 1088	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	28
PID 1976 wrote to memory of 1088	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	28
PID 1172 wrote to memory of 2016	1172	backup.exe	29
PID 1172 wrote to memory of 2016	1172	backup.exe	29
PID 1172 wrote to memory of 2016	1172	backup.exe	29
PID 1172 wrote to memory of 2016	1172	backup.exe	29
PID 1976 wrote to memory of 2032	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	30
PID 1976 wrote to memory of 2032	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	30
PID 1976 wrote to memory of 2032	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	30
PID 1976 wrote to memory of 2032	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	30
PID 1976 wrote to memory of 1872	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	31
PID 1976 wrote to memory of 1872	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	31
PID 1976 wrote to memory of 1872	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	31
PID 1976 wrote to memory of 1872	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	31
PID 2016 wrote to memory of 456	2016	backup.exe	32
PID 2016 wrote to memory of 456	2016	backup.exe	32
PID 2016 wrote to memory of 456	2016	backup.exe	32
PID 2016 wrote to memory of 456	2016	backup.exe	32
PID 1976 wrote to memory of 112	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	33
PID 1976 wrote to memory of 112	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	33
PID 1976 wrote to memory of 112	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	33
PID 1976 wrote to memory of 112	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	33
PID 1976 wrote to memory of 596	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	34
PID 1976 wrote to memory of 596	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	34
PID 1976 wrote to memory of 596	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	34
PID 1976 wrote to memory of 596	1976	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe	34
PID 456 wrote to memory of 2044	456	backup.exe	35
PID 456 wrote to memory of 2044	456	backup.exe	35
PID 456 wrote to memory of 2044	456	backup.exe	35
PID 456 wrote to memory of 2044	456	backup.exe	35
PID 2016 wrote to memory of 1696	2016	backup.exe	36
PID 2016 wrote to memory of 1696	2016	backup.exe	36
PID 2016 wrote to memory of 1696	2016	backup.exe	36
PID 2016 wrote to memory of 1696	2016	backup.exe	36
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1696 wrote to memory of 1960	1696	backup.exe	37
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1960 wrote to memory of 976	1960	update.exe	38
PID 1696 wrote to memory of 1292	1696	backup.exe	39
PID 1696 wrote to memory of 1292	1696	backup.exe	39
PID 1696 wrote to memory of 1292	1696	backup.exe	39
PID 1696 wrote to memory of 1292	1696	backup.exe	39
PID 1292 wrote to memory of 1668	1292	backup.exe	40
PID 1292 wrote to memory of 1668	1292	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe
"C:\Users\Admin\AppData\Local\Temp\19f2538c1a363efa97b2a7d666e599b8cf0df49bfea7ebcae9fbd7add0cfc235.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
- C:\Users\Admin\AppData\Local\Temp\2661910246\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2661910246\backup.exe C:\Users\Admin\AppData\Local\Temp\2661910246\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1696
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:976
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        System policy modification
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:240
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1716
      - C:\Program Files\Common Files\Services\System Restore.exe
        
        "C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1268
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1960
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2020
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1740
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1700
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1676
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1392
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:240
        
        C:\Program Files\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\data.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2036
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1452
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:664
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:548
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1968
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:812
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1796
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:744
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1468
        
        C:\Program Files\Common Files\System\Ole DB\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\data.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:836
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1396
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:548
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:240
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1616
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1080
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1216
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2036
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1152
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1368
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1636
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1908
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:240
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:912
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1536
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1708
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1216
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1144
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:696
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2136
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1704
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        
        PID:860
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1196
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:584
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:384
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1560
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1728
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1692
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1544
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2008
    - - C:\Program Files\Java\System Restore.exe
        
        "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
        5⤵
        
        PID:1576
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1968
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1556
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1792
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:960
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2096
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1992
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1872
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        System policy modification
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        
        PID:576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:948
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1880
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1316
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1556
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1612
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        System policy modification
        
        PID:752
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1980
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1184
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        System policy modification
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        System policy modification
        
        PID:436
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:320
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1396
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:1516
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1572
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1940
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1932
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:596
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1568
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:568
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1784
        
        C:\Program Files (x86)\Google\Update\Download\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\Download\System Restore.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1580
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1868
        
        C:\Program Files (x86)\Google\Update\Offline\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\System Restore.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2120
    - - C:\Program Files (x86)\Internet Explorer\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1532
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1388
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:812
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:828
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2072
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1044
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1164
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1796
      - C:\Users\Admin\Documents\data.exe
        
        C:\Users\Admin\Documents\data.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1676
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:1708
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:944
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1192
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1636
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1580
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1616
      - C:\Users\Admin\Videos\update.exe
        
        C:\Users\Admin\Videos\update.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1152
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:664
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:1740
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:1544
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1720
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        Disables RegEdit via registry modification
        
        PID:268
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:616
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:288
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:548
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      System policy modification
      PID:1392
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1304
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        System policy modification
        
        PID:1796
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:1052
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:1536
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:804
        
        C:\Windows\AppPatch\Custom\Custom64\update.exe
        
        C:\Windows\AppPatch\Custom\Custom64\update.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:976
      - C:\Windows\AppPatch\de-DE\data.exe
        
        C:\Windows\AppPatch\de-DE\data.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:384
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1808
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:1760
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1948
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:932
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        
        PID:2128
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1628
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1776
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1316
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1988
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2004
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:2104
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:112
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ed372b02e81cf9a455ebefc2ac836778

SHA1
b86b187bef83e856aa6c22fea3053b9fc407bca7

SHA256
ca5c5c2005bcf7dd3ef0d99bd606e33833b9a508262808f24b85b9a5094b4606

SHA512
1cf98361b39e63af1e9e2969ddf40f9ee63609356568da4dddebc1562080cb3a4bff44832e6b07a1828baeb6ce1d8e230b9ea36bca32e8726308f6b30aa28048

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
acff0232dcda2a5f7977e5978d94505a

SHA1
471c1b985b165bcbecf531701cfe6bc5377e34a5

SHA256
ed8abe90b53eb7c0bad671711cda8d669054ea93deb4b6fbfe2f2f60419456a6

SHA512
64b114199563c04e39f952f9d08832292f0e4e7625f23b2d0f2dc3a3b67fbebe7cad95e61fe7a86f89e9bb931056c568b088ef9b3b1c2c7ea6170adbccf2b1d4

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
acff0232dcda2a5f7977e5978d94505a

SHA1
471c1b985b165bcbecf531701cfe6bc5377e34a5

SHA256
ed8abe90b53eb7c0bad671711cda8d669054ea93deb4b6fbfe2f2f60419456a6

SHA512
64b114199563c04e39f952f9d08832292f0e4e7625f23b2d0f2dc3a3b67fbebe7cad95e61fe7a86f89e9bb931056c568b088ef9b3b1c2c7ea6170adbccf2b1d4

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1faa3c1d373fa4485947e6985f20994a

SHA1
61f440d3ec36bb55a469aa9ccb54a1739f681bc9

SHA256
c857ff583fb8a674ca60ca8dfcc22c10c715f0686c7ca9631d22faeeed922785

SHA512
1480717876c67706d50286635e9478ee102167d2e6b3e6e4e08972b09781b5f2f431e217a1539577e51adaff6d6fa99db35e9f3e68d5afd12b4a399c85ae9d05

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1faa3c1d373fa4485947e6985f20994a

SHA1
61f440d3ec36bb55a469aa9ccb54a1739f681bc9

SHA256
c857ff583fb8a674ca60ca8dfcc22c10c715f0686c7ca9631d22faeeed922785

SHA512
1480717876c67706d50286635e9478ee102167d2e6b3e6e4e08972b09781b5f2f431e217a1539577e51adaff6d6fa99db35e9f3e68d5afd12b4a399c85ae9d05

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
512142ca5e4deeac5c6fb12c98b89055

SHA1
64c9944c7ca162ec3a065dbbe482b0207dce2d90

SHA256
8ce290cfa9bd8dab20011795bd169ad261bcda346cd4aac0aa0dd539f567259f

SHA512
d1d334e5f9ee8ef1d267096a52d2239a167d2f528095080fb2aec4703b959f7471ba4d963a2251ae0fc0b89be490055494d52d5a1fe3ccbeceacb5b138e24ac8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
512142ca5e4deeac5c6fb12c98b89055

SHA1
64c9944c7ca162ec3a065dbbe482b0207dce2d90

SHA256
8ce290cfa9bd8dab20011795bd169ad261bcda346cd4aac0aa0dd539f567259f

SHA512
d1d334e5f9ee8ef1d267096a52d2239a167d2f528095080fb2aec4703b959f7471ba4d963a2251ae0fc0b89be490055494d52d5a1fe3ccbeceacb5b138e24ac8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d8d146a52b47c4cf1e367d8ccc379627

SHA1
8c46f17ad0aacd432dc5dff16dd9e224909b2bb0

SHA256
63c6a403285a8cf191448e98bda5c5a495435a2076005ec82b4ce6af1a469900

SHA512
2e81f39e61984b7c9cddf0cf82848545cad79c3eb8499bf19950e04f37c9a42c4cdf11bf9f8b6407993aaff2790fc64b2b309419a5dda9825bb76239f18d2457

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d8d146a52b47c4cf1e367d8ccc379627

SHA1
8c46f17ad0aacd432dc5dff16dd9e224909b2bb0

SHA256
63c6a403285a8cf191448e98bda5c5a495435a2076005ec82b4ce6af1a469900

SHA512
2e81f39e61984b7c9cddf0cf82848545cad79c3eb8499bf19950e04f37c9a42c4cdf11bf9f8b6407993aaff2790fc64b2b309419a5dda9825bb76239f18d2457

Download Submit
C:\Users\Admin\AppData\Local\Temp\2661910246\backup.exe

Filesize
72KB

MD5
9531693d194cc7d98600731dbfc0aad1

SHA1
d6defcc461c587c661b2ee1cc2cc72e0dcd1a3d2

SHA256
9a14350244b9bed98d0f493a208a72fb86f188042bf5357942aadbfb08b6c279

SHA512
127fa23ad9d324e43e26ccaae112c8b4128ae0bcf1edf9392e61aa5b9ad5b5c0a86930f04ad1a22f0956690866ef0f868359eeff843aeebfac225eb284e3b431

Download Submit
C:\Users\Admin\AppData\Local\Temp\2661910246\backup.exe

Filesize
72KB

MD5
9531693d194cc7d98600731dbfc0aad1

SHA1
d6defcc461c587c661b2ee1cc2cc72e0dcd1a3d2

SHA256
9a14350244b9bed98d0f493a208a72fb86f188042bf5357942aadbfb08b6c279

SHA512
127fa23ad9d324e43e26ccaae112c8b4128ae0bcf1edf9392e61aa5b9ad5b5c0a86930f04ad1a22f0956690866ef0f868359eeff843aeebfac225eb284e3b431

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b2b1ef8060e8abc995ed7613d7de54e

SHA1
4389e431639e817d687e0e701ac6002c5acfc0dd

SHA256
f5c2131b293140fce85d1d5a4e03483a26acb493625765e28e3f01b545cda580

SHA512
081254aea7ca4bbba7920ac2a8851f0b9d52f5c0ef12d929ccdd5d53335eada7286ba32af0ad9c077a1cf3b74464aae9d0ed2e47a0b01de02dc520b70e43bd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5aa7ff0af5d1aebb812547123f5a5280

SHA1
f094b02f81235c5e0d8d33a456a995f68ba8ff0b

SHA256
448479e4765c702b788f80d29409e673ca03df33af3bdf865a952b5317f040ea

SHA512
121179a6119bb2fe02a8872cb25d9916b973a8e20be405ff063dfa7de22ccb0e0e9d420c35ce170766e7c9ec9998874f0543a8aebe4e87e08aa88c68e3181f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cf4e01e289120aa9f493730de0e4ea54

SHA1
61f632acabd54242bf12225bfc8370bafb7e61b2

SHA256
32a8bad6a8026d9e19146e82bc90880fb533144e5af37eff646915e2172f5bf5

SHA512
13165fbbb6d8a711b029f8c721a3f564e6ba47e767d2d0b78b6edd378da38282cd1f699011d0cf757b40b67fb8a14002bb3860e42cb484c526a0cf365025ff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
10f25541deb614a83cd88e544b61e15c

SHA1
e6b2a1d286b4a270d9bbc13194678794d39e1c4f

SHA256
729d64c32962b990e375081ddaffbca845103bec1a0288bbdfd0866e37a3dd5b

SHA512
4afd27ed3239e8b04ba9afab7a173db8cee6a6c63343a81b5d61946b0133b4bd32c295d6695828e6d8ad8353e40ffe8e1d3ad78e11ff8c2f27a83cf36d404c3e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
59f4d8f2b6ffec8030e9a8506fa0c0b6

SHA1
dcedff3f80b2406a8e5d6a73d9941b123c1de30c

SHA256
9da7116c2f1d7533e4bd389d89b82659a2af997e150f97de7d7f27f57bd67c53

SHA512
60e925f3c98ea65e23927ea375049c47950093483f94c3229fd606c269a276d29f64f53eb9712e9e7a4c84e897155d2e4f73762447c4b7cec1132c3a79d589b8

Download Submit
C:\backup.exe

Filesize
72KB

MD5
59f4d8f2b6ffec8030e9a8506fa0c0b6

SHA1
dcedff3f80b2406a8e5d6a73d9941b123c1de30c

SHA256
9da7116c2f1d7533e4bd389d89b82659a2af997e150f97de7d7f27f57bd67c53

SHA512
60e925f3c98ea65e23927ea375049c47950093483f94c3229fd606c269a276d29f64f53eb9712e9e7a4c84e897155d2e4f73762447c4b7cec1132c3a79d589b8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ed372b02e81cf9a455ebefc2ac836778

SHA1
b86b187bef83e856aa6c22fea3053b9fc407bca7

SHA256
ca5c5c2005bcf7dd3ef0d99bd606e33833b9a508262808f24b85b9a5094b4606

SHA512
1cf98361b39e63af1e9e2969ddf40f9ee63609356568da4dddebc1562080cb3a4bff44832e6b07a1828baeb6ce1d8e230b9ea36bca32e8726308f6b30aa28048

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ed372b02e81cf9a455ebefc2ac836778

SHA1
b86b187bef83e856aa6c22fea3053b9fc407bca7

SHA256
ca5c5c2005bcf7dd3ef0d99bd606e33833b9a508262808f24b85b9a5094b4606

SHA512
1cf98361b39e63af1e9e2969ddf40f9ee63609356568da4dddebc1562080cb3a4bff44832e6b07a1828baeb6ce1d8e230b9ea36bca32e8726308f6b30aa28048

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
acff0232dcda2a5f7977e5978d94505a

SHA1
471c1b985b165bcbecf531701cfe6bc5377e34a5

SHA256
ed8abe90b53eb7c0bad671711cda8d669054ea93deb4b6fbfe2f2f60419456a6

SHA512
64b114199563c04e39f952f9d08832292f0e4e7625f23b2d0f2dc3a3b67fbebe7cad95e61fe7a86f89e9bb931056c568b088ef9b3b1c2c7ea6170adbccf2b1d4

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
acff0232dcda2a5f7977e5978d94505a

SHA1
471c1b985b165bcbecf531701cfe6bc5377e34a5

SHA256
ed8abe90b53eb7c0bad671711cda8d669054ea93deb4b6fbfe2f2f60419456a6

SHA512
64b114199563c04e39f952f9d08832292f0e4e7625f23b2d0f2dc3a3b67fbebe7cad95e61fe7a86f89e9bb931056c568b088ef9b3b1c2c7ea6170adbccf2b1d4

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
977bc5918bcfe50387e9e4217a283226

SHA1
0389f8adda7c611072b66a888d2682c1c222ff76

SHA256
93860e50788bf1987f9109e97563cc0eb6619d5725c6c0a2786a93ed0c3d4160

SHA512
eb38034a1d44d8c3489e1ef40bb4389cd58a6211044c353bc4802ba404ab99d2f98ccbeb7d955faf2d86291b65e0ce99384ec585379c980645cc7421853961a3

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
e5d2c998a1d8756f346ce3e293afc67e

SHA1
6b6134b6f3ae2570c5a52f12a1fcb1189218a8f3

SHA256
1411877e1df2cadd46cd9c724eff6e6be5132d9b52df9b81ddf154585e5402f8

SHA512
646a040d47d75ee46155f6d3b42dddc6c53829e5088bbf61ddcf255b14555706ebfe0f6cf5559a93daa71657d7d5e347638a87dc18ebf4c84b5c70e25f71ad02

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1faa3c1d373fa4485947e6985f20994a

SHA1
61f440d3ec36bb55a469aa9ccb54a1739f681bc9

SHA256
c857ff583fb8a674ca60ca8dfcc22c10c715f0686c7ca9631d22faeeed922785

SHA512
1480717876c67706d50286635e9478ee102167d2e6b3e6e4e08972b09781b5f2f431e217a1539577e51adaff6d6fa99db35e9f3e68d5afd12b4a399c85ae9d05

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1faa3c1d373fa4485947e6985f20994a

SHA1
61f440d3ec36bb55a469aa9ccb54a1739f681bc9

SHA256
c857ff583fb8a674ca60ca8dfcc22c10c715f0686c7ca9631d22faeeed922785

SHA512
1480717876c67706d50286635e9478ee102167d2e6b3e6e4e08972b09781b5f2f431e217a1539577e51adaff6d6fa99db35e9f3e68d5afd12b4a399c85ae9d05

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
621a750e1c90baa7efe4895f0d3a639d

SHA1
995577b3b7eea39c3d7946d2c7462bf06fcb8293

SHA256
58d722cabab1f64e40d652ac0212e5f43d84062eb3545f4128b30d549a7c6f0e

SHA512
0c7b91f9f793fb1a8250f055d240cbb17b6c12606c3002fd4c783a38b2b797c02b485c925ed980d6587f1bb93aa4a8f6c216b79c500c64736206cce2aea25741

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b52fee974d44a32740787c829ec0e147

SHA1
30d1209d6d1dcfc7edc6545d8dda79d37d3117bb

SHA256
8375f3b8149710e5659f6fc7f96bbb957bb976a29baed79c5b532820efb464fb

SHA512
45588315db5c93e22455d8583abf9c1bafca01f67f5118b1ce31b19f55ec98df5f815fd3ff5990f2326c6481911258fa4107578581d92fbdc69196adc9f21027

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
512142ca5e4deeac5c6fb12c98b89055

SHA1
64c9944c7ca162ec3a065dbbe482b0207dce2d90

SHA256
8ce290cfa9bd8dab20011795bd169ad261bcda346cd4aac0aa0dd539f567259f

SHA512
d1d334e5f9ee8ef1d267096a52d2239a167d2f528095080fb2aec4703b959f7471ba4d963a2251ae0fc0b89be490055494d52d5a1fe3ccbeceacb5b138e24ac8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
512142ca5e4deeac5c6fb12c98b89055

SHA1
64c9944c7ca162ec3a065dbbe482b0207dce2d90

SHA256
8ce290cfa9bd8dab20011795bd169ad261bcda346cd4aac0aa0dd539f567259f

SHA512
d1d334e5f9ee8ef1d267096a52d2239a167d2f528095080fb2aec4703b959f7471ba4d963a2251ae0fc0b89be490055494d52d5a1fe3ccbeceacb5b138e24ac8

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d8d146a52b47c4cf1e367d8ccc379627

SHA1
8c46f17ad0aacd432dc5dff16dd9e224909b2bb0

SHA256
63c6a403285a8cf191448e98bda5c5a495435a2076005ec82b4ce6af1a469900

SHA512
2e81f39e61984b7c9cddf0cf82848545cad79c3eb8499bf19950e04f37c9a42c4cdf11bf9f8b6407993aaff2790fc64b2b309419a5dda9825bb76239f18d2457

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
d8d146a52b47c4cf1e367d8ccc379627

SHA1
8c46f17ad0aacd432dc5dff16dd9e224909b2bb0

SHA256
63c6a403285a8cf191448e98bda5c5a495435a2076005ec82b4ce6af1a469900

SHA512
2e81f39e61984b7c9cddf0cf82848545cad79c3eb8499bf19950e04f37c9a42c4cdf11bf9f8b6407993aaff2790fc64b2b309419a5dda9825bb76239f18d2457

Download Submit
\Users\Admin\AppData\Local\Temp\2661910246\backup.exe

Filesize
72KB

MD5
9531693d194cc7d98600731dbfc0aad1

SHA1
d6defcc461c587c661b2ee1cc2cc72e0dcd1a3d2

SHA256
9a14350244b9bed98d0f493a208a72fb86f188042bf5357942aadbfb08b6c279

SHA512
127fa23ad9d324e43e26ccaae112c8b4128ae0bcf1edf9392e61aa5b9ad5b5c0a86930f04ad1a22f0956690866ef0f868359eeff843aeebfac225eb284e3b431

Download Submit
\Users\Admin\AppData\Local\Temp\2661910246\backup.exe

Filesize
72KB

MD5
9531693d194cc7d98600731dbfc0aad1

SHA1
d6defcc461c587c661b2ee1cc2cc72e0dcd1a3d2

SHA256
9a14350244b9bed98d0f493a208a72fb86f188042bf5357942aadbfb08b6c279

SHA512
127fa23ad9d324e43e26ccaae112c8b4128ae0bcf1edf9392e61aa5b9ad5b5c0a86930f04ad1a22f0956690866ef0f868359eeff843aeebfac225eb284e3b431

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b2b1ef8060e8abc995ed7613d7de54e

SHA1
4389e431639e817d687e0e701ac6002c5acfc0dd

SHA256
f5c2131b293140fce85d1d5a4e03483a26acb493625765e28e3f01b545cda580

SHA512
081254aea7ca4bbba7920ac2a8851f0b9d52f5c0ef12d929ccdd5d53335eada7286ba32af0ad9c077a1cf3b74464aae9d0ed2e47a0b01de02dc520b70e43bd64

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7b2b1ef8060e8abc995ed7613d7de54e

SHA1
4389e431639e817d687e0e701ac6002c5acfc0dd

SHA256
f5c2131b293140fce85d1d5a4e03483a26acb493625765e28e3f01b545cda580

SHA512
081254aea7ca4bbba7920ac2a8851f0b9d52f5c0ef12d929ccdd5d53335eada7286ba32af0ad9c077a1cf3b74464aae9d0ed2e47a0b01de02dc520b70e43bd64

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4585cb0566d9af90bde6601ee5752963

SHA1
f04ffa44ddb5088cf630608e6df26041b217d442

SHA256
fd5c2fb10634c2f8fa13908cec9cc55bd9ac1f32fe7ab35b0b44269263912335

SHA512
2e4a7c03f0747adc00d2980db3a0e22b01bdaf1828a6209d8ded71e27f1636b60fc982637455655489d035195e1438ab7572256d60a0d0d59e2a27c3f24acf7f

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5aa7ff0af5d1aebb812547123f5a5280

SHA1
f094b02f81235c5e0d8d33a456a995f68ba8ff0b

SHA256
448479e4765c702b788f80d29409e673ca03df33af3bdf865a952b5317f040ea

SHA512
121179a6119bb2fe02a8872cb25d9916b973a8e20be405ff063dfa7de22ccb0e0e9d420c35ce170766e7c9ec9998874f0543a8aebe4e87e08aa88c68e3181f37

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5aa7ff0af5d1aebb812547123f5a5280

SHA1
f094b02f81235c5e0d8d33a456a995f68ba8ff0b

SHA256
448479e4765c702b788f80d29409e673ca03df33af3bdf865a952b5317f040ea

SHA512
121179a6119bb2fe02a8872cb25d9916b973a8e20be405ff063dfa7de22ccb0e0e9d420c35ce170766e7c9ec9998874f0543a8aebe4e87e08aa88c68e3181f37

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cf4e01e289120aa9f493730de0e4ea54

SHA1
61f632acabd54242bf12225bfc8370bafb7e61b2

SHA256
32a8bad6a8026d9e19146e82bc90880fb533144e5af37eff646915e2172f5bf5

SHA512
13165fbbb6d8a711b029f8c721a3f564e6ba47e767d2d0b78b6edd378da38282cd1f699011d0cf757b40b67fb8a14002bb3860e42cb484c526a0cf365025ff22

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
cf4e01e289120aa9f493730de0e4ea54

SHA1
61f632acabd54242bf12225bfc8370bafb7e61b2

SHA256
32a8bad6a8026d9e19146e82bc90880fb533144e5af37eff646915e2172f5bf5

SHA512
13165fbbb6d8a711b029f8c721a3f564e6ba47e767d2d0b78b6edd378da38282cd1f699011d0cf757b40b67fb8a14002bb3860e42cb484c526a0cf365025ff22

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
10f25541deb614a83cd88e544b61e15c

SHA1
e6b2a1d286b4a270d9bbc13194678794d39e1c4f

SHA256
729d64c32962b990e375081ddaffbca845103bec1a0288bbdfd0866e37a3dd5b

SHA512
4afd27ed3239e8b04ba9afab7a173db8cee6a6c63343a81b5d61946b0133b4bd32c295d6695828e6d8ad8353e40ffe8e1d3ad78e11ff8c2f27a83cf36d404c3e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
10f25541deb614a83cd88e544b61e15c

SHA1
e6b2a1d286b4a270d9bbc13194678794d39e1c4f

SHA256
729d64c32962b990e375081ddaffbca845103bec1a0288bbdfd0866e37a3dd5b

SHA512
4afd27ed3239e8b04ba9afab7a173db8cee6a6c63343a81b5d61946b0133b4bd32c295d6695828e6d8ad8353e40ffe8e1d3ad78e11ff8c2f27a83cf36d404c3e

Download Submit
memory/1976-125-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1976-235-0x0000000074B81000-0x0000000074B83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads