87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022

Analysis

max time kernel
175s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
Size

72KB
MD5

097cf4b184553e8dcabf58666397143b
SHA1

6fa2970ac5e5c9becad97979b7d739b5fd05ac55
SHA256

87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022
SHA512

4b4010be0041e5dc52afb181be207da3f48f117fa36d6f15042d1981f93c17c5dddda09bdc7b61a9b89088474860694f8b938de9d7de4afe34d99bcb8daf9aa1
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf28:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrw

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1092	backup.exe
1748	backup.exe
1552	backup.exe
1428	backup.exe
1100	backup.exe
364	backup.exe
1276	backup.exe
784	backup.exe
868	backup.exe
1760	backup.exe
560	System Restore.exe
1896	backup.exe
268	backup.exe
1916	backup.exe
1644	backup.exe
828	backup.exe
1832	backup.exe
1932	backup.exe
1744	backup.exe
1028	backup.exe
1528	backup.exe
1064	backup.exe
1472	backup.exe
1292	backup.exe
520	backup.exe
1484	data.exe
1144	backup.exe
1828	backup.exe
364	backup.exe
1672	backup.exe
1160	backup.exe
868	backup.exe
1692	backup.exe
836	backup.exe
652	System Restore.exe
584	backup.exe
1400	backup.exe
764	backup.exe
636	backup.exe
2000	backup.exe
760	backup.exe
980	update.exe
828	update.exe
1600	backup.exe
948	backup.exe
1532	backup.exe
1520	backup.exe
1980	data.exe
2012	backup.exe
1088	backup.exe
1884	data.exe
1716	backup.exe
1292	backup.exe
968	backup.exe
676	backup.exe
1728	update.exe
1588	backup.exe
1084	System Restore.exe
1928	backup.exe
1548	backup.exe
1124	backup.exe
1468	backup.exe
652	backup.exe
584	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1748	backup.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1748	backup.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1100	backup.exe
1100	backup.exe
1748	backup.exe
1748	backup.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
784	backup.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
784	backup.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
560	System Restore.exe
560	System Restore.exe
784	backup.exe
784	backup.exe
1916	backup.exe
1916	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
1832	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Services\update.exe	backup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
1092	backup.exe
1748	backup.exe
1552	backup.exe
1428	backup.exe
1100	backup.exe
1276	backup.exe
364	backup.exe
868	backup.exe
784	backup.exe
560	System Restore.exe
1760	backup.exe
1896	backup.exe
268	backup.exe
1916	backup.exe
1644	backup.exe
828	backup.exe
1832	backup.exe
1932	backup.exe
1744	backup.exe
1028	backup.exe
1528	backup.exe
1064	backup.exe
1472	backup.exe
1292	backup.exe
520	backup.exe
1484	data.exe
1144	backup.exe
1828	backup.exe
364	backup.exe
1672	backup.exe
1160	backup.exe
868	backup.exe
1692	backup.exe
836	backup.exe
652	System Restore.exe
584	backup.exe
1400	backup.exe
764	backup.exe
636	backup.exe
2000	backup.exe
760	backup.exe
980	update.exe
828	update.exe
1600	backup.exe
948	backup.exe
1532	backup.exe
1520	backup.exe
1980	data.exe
2012	backup.exe
1088	backup.exe
1884	data.exe
1716	backup.exe
1292	backup.exe
968	backup.exe
676	backup.exe
1728	update.exe
1588	backup.exe
1468	backup.exe
1084	System Restore.exe
1928	backup.exe
1124	backup.exe
1548	backup.exe
652	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1092	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	27
PID 1732 wrote to memory of 1092	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	27
PID 1732 wrote to memory of 1092	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	27
PID 1732 wrote to memory of 1092	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	27
PID 1092 wrote to memory of 1748	1092	backup.exe	29
PID 1092 wrote to memory of 1748	1092	backup.exe	29
PID 1092 wrote to memory of 1748	1092	backup.exe	29
PID 1092 wrote to memory of 1748	1092	backup.exe	29
PID 1732 wrote to memory of 1552	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	28
PID 1732 wrote to memory of 1552	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	28
PID 1732 wrote to memory of 1552	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	28
PID 1732 wrote to memory of 1552	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	28
PID 1748 wrote to memory of 1100	1748	backup.exe	30
PID 1748 wrote to memory of 1100	1748	backup.exe	30
PID 1748 wrote to memory of 1100	1748	backup.exe	30
PID 1748 wrote to memory of 1100	1748	backup.exe	30
PID 1732 wrote to memory of 1428	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	31
PID 1732 wrote to memory of 1428	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	31
PID 1732 wrote to memory of 1428	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	31
PID 1732 wrote to memory of 1428	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	31
PID 1732 wrote to memory of 364	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	32
PID 1732 wrote to memory of 364	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	32
PID 1732 wrote to memory of 364	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	32
PID 1732 wrote to memory of 364	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	32
PID 1100 wrote to memory of 1276	1100	backup.exe	33
PID 1100 wrote to memory of 1276	1100	backup.exe	33
PID 1100 wrote to memory of 1276	1100	backup.exe	33
PID 1100 wrote to memory of 1276	1100	backup.exe	33
PID 1748 wrote to memory of 784	1748	backup.exe	34
PID 1748 wrote to memory of 784	1748	backup.exe	34
PID 1748 wrote to memory of 784	1748	backup.exe	34
PID 1748 wrote to memory of 784	1748	backup.exe	34
PID 1732 wrote to memory of 868	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	35
PID 1732 wrote to memory of 868	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	35
PID 1732 wrote to memory of 868	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	35
PID 1732 wrote to memory of 868	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	35
PID 1732 wrote to memory of 1760	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	36
PID 1732 wrote to memory of 1760	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	36
PID 1732 wrote to memory of 1760	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	36
PID 1732 wrote to memory of 1760	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	36
PID 784 wrote to memory of 560	784	backup.exe	37
PID 784 wrote to memory of 560	784	backup.exe	37
PID 784 wrote to memory of 560	784	backup.exe	37
PID 784 wrote to memory of 560	784	backup.exe	37
PID 1732 wrote to memory of 1896	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	38
PID 1732 wrote to memory of 1896	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	38
PID 1732 wrote to memory of 1896	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	38
PID 1732 wrote to memory of 1896	1732	87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe	38
PID 560 wrote to memory of 268	560	System Restore.exe	39
PID 560 wrote to memory of 268	560	System Restore.exe	39
PID 560 wrote to memory of 268	560	System Restore.exe	39
PID 560 wrote to memory of 268	560	System Restore.exe	39
PID 784 wrote to memory of 1916	784	backup.exe	40
PID 784 wrote to memory of 1916	784	backup.exe	40
PID 784 wrote to memory of 1916	784	backup.exe	40
PID 784 wrote to memory of 1916	784	backup.exe	40
PID 1916 wrote to memory of 1644	1916	backup.exe	41
PID 1916 wrote to memory of 1644	1916	backup.exe	41
PID 1916 wrote to memory of 1644	1916	backup.exe	41
PID 1916 wrote to memory of 1644	1916	backup.exe	41
PID 1644 wrote to memory of 828	1644	backup.exe	42
PID 1644 wrote to memory of 828	1644	backup.exe	42
PID 1644 wrote to memory of 828	1644	backup.exe	42
PID 1644 wrote to memory of 828	1644	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe
"C:\Users\Admin\AppData\Local\Temp\87a62558f4ef53bfa41d4d5c813781b944846b7e0131b729f89018fec91c5022.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\2357837601\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2357837601\backup.exe C:\Users\Admin\AppData\Local\Temp\2357837601\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1100
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:784
    - - C:\Program Files\7-Zip\System Restore.exe
        
        "C:\Program Files\7-Zip\System Restore.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:560
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1136
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        System policy modification
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1076
      - C:\Program Files\Common Files\Services\update.exe
        
        "C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1488
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1576
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:692
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1944
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1452
        
        C:\Program Files\Common Files\System\ado\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\update.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:840
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1664
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1332
        
        C:\Program Files\Common Files\System\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1964
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1180
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1692
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:804
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1548
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:536
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1660
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1060
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1468
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
      - C:\Program Files\DVD Maker\Shared\update.exe
        
        "C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1568
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1488
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1904
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:564
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1332
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1456
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1944
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1452
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1468
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1684
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2020
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1992
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1056
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:964
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1100
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:1508
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1292
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:1064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        System policy modification
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1484
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        System policy modification
        
        PID:276
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1124
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1616
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1772
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:268
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Disables RegEdit via registry modification
        
        PID:292
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1528
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
      - C:\Program Files (x86)\Common Files\DESIGNER\update.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\update.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:240
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1060
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:860
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:804
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1920
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1412
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2004
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:908
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:636
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1788
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1188
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1556
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1600
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1580
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:1548
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      System policy modification
      PID:584
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1896
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1612
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1948
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1552
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1648
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:832
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1740
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1412
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:1992
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:1740
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:268
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:188
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:428
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      PID:980
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:1392
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:428
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:608
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:676
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:364
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1285372ccec5c4c5bf5cfe2fed96eae9

SHA1
fe11cf1b15d4b41cb40d3a6b0cd74586692c0966

SHA256
e85d131a2de5f68c081854062854fff946730ea1c225943708bf47601ee61d2e

SHA512
e146e171106da2b54f63941829811dc7d1685e19147b8199937c992b797524e57c4e15944bff015073f68c2b8eb6fbf4ab66a84fe54f0667cf23d3b7ef488a84

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
038835e36a2b377f114c61cc0ed1b2c3

SHA1
144b00624b8d95933e9c159965fc76f0833dd6d0

SHA256
e6785c42c6dbc8e66b374fb842455aae4c52a5361bb28a165e783dcad147eb91

SHA512
88701f62f582fdee57494a4da39cd649174c9d970a0e01cc233604443acb4026bae9aceefc201c8449db64e09c7fb232c9f0d2f81229404142e37202a80ba85c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
038835e36a2b377f114c61cc0ed1b2c3

SHA1
144b00624b8d95933e9c159965fc76f0833dd6d0

SHA256
e6785c42c6dbc8e66b374fb842455aae4c52a5361bb28a165e783dcad147eb91

SHA512
88701f62f582fdee57494a4da39cd649174c9d970a0e01cc233604443acb4026bae9aceefc201c8449db64e09c7fb232c9f0d2f81229404142e37202a80ba85c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
62e1b0ba1357093a0a1b2136ddda9246

SHA1
ad445138332b20281eb037b3ebff2e1bd938d0a5

SHA256
7775ce546dde3a70a54a0164b0f2d551d8cefe452f6ad15191340b1d35f89116

SHA512
09aa1887cfe6d46d18256472e80686e786c67e29fa31b66be35ff6f8d3adb58ec40b785b44a8024b7ee8e95bcf127dfb9322b6a13a3f256ca8e1a66368fca52b

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
959ab022ffd6eec049b985efcba70340

SHA1
8feb9640041677c09807f3a77636df30604b1687

SHA256
65723ae0384ab25114c70180800e2aa4f282519222dab43c934d8e8e37c0cc58

SHA512
8c652569212fd7929eb65113a060eddd50f64dd818198deb882cf9c159a2ec9269e4fd5a7515860423843200a3104e4398222c49b9aded4a959d6cb9e250897f

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
959ab022ffd6eec049b985efcba70340

SHA1
8feb9640041677c09807f3a77636df30604b1687

SHA256
65723ae0384ab25114c70180800e2aa4f282519222dab43c934d8e8e37c0cc58

SHA512
8c652569212fd7929eb65113a060eddd50f64dd818198deb882cf9c159a2ec9269e4fd5a7515860423843200a3104e4398222c49b9aded4a959d6cb9e250897f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ccf61aa0a383c110e7813a5f4d21a222

SHA1
d741a29d232ceec4aaa32626002e70a969cf853f

SHA256
112c29077522a9e24517bcc97235a9d18f0bef5cc5716063c72019a8b571a029

SHA512
8df7ff49c3239f2e23bafa219969e02053e0ee60247d9cd2a08b4f409e8d31543381c7dbe9c9460347a5d7a79de5550521f172c2ff3777200b6cbaca0e0540eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d2915647b9f3ba26b1ebd91669423681

SHA1
e9bf4ebdd6d5aad20e76f718e263948bd4419e0b

SHA256
35d6690441129d1671992a66adce373b2969a34050ddb0a922fefbecb105488c

SHA512
0d9d476c25ffcf76c097ea908b3aec822e5232e3633817a685a9ddf574aa786cb7abb986951ce94a77c663354a0b4f18420ace7ec30e4a8d4a5196b0504327a3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d2915647b9f3ba26b1ebd91669423681

SHA1
e9bf4ebdd6d5aad20e76f718e263948bd4419e0b

SHA256
35d6690441129d1671992a66adce373b2969a34050ddb0a922fefbecb105488c

SHA512
0d9d476c25ffcf76c097ea908b3aec822e5232e3633817a685a9ddf574aa786cb7abb986951ce94a77c663354a0b4f18420ace7ec30e4a8d4a5196b0504327a3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b2cedcbb57418c468922439e15a0f12d

SHA1
39c2dd8468caabf75778970438ffd4d76df711ce

SHA256
2bd97ce1100e2eac0457c18b48c10f98175685abb20874a37293e82ccdba130a

SHA512
8f512be5b631dc6e7127c12fa3e4c756b207ccf121199c394f06c340250bbdaedbca2e3b942da449c691f1c5adb66bccf64af73c4a33128a10537ba69070a5fd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b2cedcbb57418c468922439e15a0f12d

SHA1
39c2dd8468caabf75778970438ffd4d76df711ce

SHA256
2bd97ce1100e2eac0457c18b48c10f98175685abb20874a37293e82ccdba130a

SHA512
8f512be5b631dc6e7127c12fa3e4c756b207ccf121199c394f06c340250bbdaedbca2e3b942da449c691f1c5adb66bccf64af73c4a33128a10537ba69070a5fd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f64c6fc934e1d7a012b6cca73205e7c2

SHA1
821eec0ec6e52ac169aea95c31e16610da6cea4e

SHA256
96893e1a76aedcab14d88eac39ef3ac112d1bdd91c8d503161220dec413282f6

SHA512
b1eb657299de6848a7fdc05211e2989bdf53228ac417c3313c7c9ecc525f7e104cf89668b157943668b5cd3b4ffcfdd1121b949e87d640c958bfb04ee6b2adda

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f64c6fc934e1d7a012b6cca73205e7c2

SHA1
821eec0ec6e52ac169aea95c31e16610da6cea4e

SHA256
96893e1a76aedcab14d88eac39ef3ac112d1bdd91c8d503161220dec413282f6

SHA512
b1eb657299de6848a7fdc05211e2989bdf53228ac417c3313c7c9ecc525f7e104cf89668b157943668b5cd3b4ffcfdd1121b949e87d640c958bfb04ee6b2adda

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
c733e488f8c78d1f2737bd9fc178abbe

SHA1
652890d9399c1352ddc85c5597ee0f04599baa68

SHA256
48713b2c45d183b33f3be53874f3215a2968460ea619e1ad9ba7dd635600983f

SHA512
06eafdabdb0ffe885232c3b6f790c4ab1d8d2a02a61ed4ff8a0188c8b87870b08ed0455ac4ae98a9cddce49b29bea5fe91fe736ca8ad7011d690e2f02348fc3c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
c733e488f8c78d1f2737bd9fc178abbe

SHA1
652890d9399c1352ddc85c5597ee0f04599baa68

SHA256
48713b2c45d183b33f3be53874f3215a2968460ea619e1ad9ba7dd635600983f

SHA512
06eafdabdb0ffe885232c3b6f790c4ab1d8d2a02a61ed4ff8a0188c8b87870b08ed0455ac4ae98a9cddce49b29bea5fe91fe736ca8ad7011d690e2f02348fc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2357837601\backup.exe

Filesize
72KB

MD5
5478cb5350a5341fce25c3513d9d3a91

SHA1
4d7dcf53011a5a71532751d269305e912d8f32db

SHA256
f2aaba26b627e5666c43bb7eb15d878505435467021faf0cdc8526c3d4196a93

SHA512
1f16f89eb183983ab374326f9b73f43f6d334bb5a6e7bc7966ce3966be5f2b75f0a30086aa6d49462c66892e955ca058cd291374ec20586c90c80e3d6da472f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2357837601\backup.exe

Filesize
72KB

MD5
5478cb5350a5341fce25c3513d9d3a91

SHA1
4d7dcf53011a5a71532751d269305e912d8f32db

SHA256
f2aaba26b627e5666c43bb7eb15d878505435467021faf0cdc8526c3d4196a93

SHA512
1f16f89eb183983ab374326f9b73f43f6d334bb5a6e7bc7966ce3966be5f2b75f0a30086aa6d49462c66892e955ca058cd291374ec20586c90c80e3d6da472f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
74609bad4e70ed98963164c9549586ab

SHA1
a7c020651786142246b5845537e2eedd12d1453e

SHA256
e84e870af4182ff912c8f2816d937e61d37f7b4601af08d523a16d6dbaf87dcc

SHA512
7703cabce1cd97c126ee691dbbaefa6f5c6f8fc43c7e2a8c5083f5425c25ba85dc39b9b7e1ccefcf271337b7c25edfb24abde1a6289a0bdc349b9852166b7b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f28587392ad75cd5a682b2b4c35ca867

SHA1
9ff5b0d2a9f21419b48228958096443f2aaf9b6c

SHA256
22ee7e36a7601c414f4a8f3157d50f3e59f02d769f73f99e12da733aeed0bc34

SHA512
ed812d002371b0bdca29e443933d8d205286703c8122e990257f847239d5d805ff35d87e8e22fe5db16c982a55ab6a7151fb42231f2e12957ac5810265931719

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a77d7298cff85fd7c007fde541e3c2f2

SHA1
c790537abfe66c10561a55955d7283b32443c8ec

SHA256
48247fcd92ea81f5bf02900e8c3b1a1c60c5fb566e47ba7c1878fae2bf3c5179

SHA512
2b91b6ae78209b9f491d3c5555b292ac15812ffa0d7b4b205a5d7e943385aa8daa7db5765156f6a7389e680d268b42d11302c69c47a7aa1cc6b6d8928d3b5f36

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a77d7298cff85fd7c007fde541e3c2f2

SHA1
c790537abfe66c10561a55955d7283b32443c8ec

SHA256
48247fcd92ea81f5bf02900e8c3b1a1c60c5fb566e47ba7c1878fae2bf3c5179

SHA512
2b91b6ae78209b9f491d3c5555b292ac15812ffa0d7b4b205a5d7e943385aa8daa7db5765156f6a7389e680d268b42d11302c69c47a7aa1cc6b6d8928d3b5f36

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1285372ccec5c4c5bf5cfe2fed96eae9

SHA1
fe11cf1b15d4b41cb40d3a6b0cd74586692c0966

SHA256
e85d131a2de5f68c081854062854fff946730ea1c225943708bf47601ee61d2e

SHA512
e146e171106da2b54f63941829811dc7d1685e19147b8199937c992b797524e57c4e15944bff015073f68c2b8eb6fbf4ab66a84fe54f0667cf23d3b7ef488a84

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1285372ccec5c4c5bf5cfe2fed96eae9

SHA1
fe11cf1b15d4b41cb40d3a6b0cd74586692c0966

SHA256
e85d131a2de5f68c081854062854fff946730ea1c225943708bf47601ee61d2e

SHA512
e146e171106da2b54f63941829811dc7d1685e19147b8199937c992b797524e57c4e15944bff015073f68c2b8eb6fbf4ab66a84fe54f0667cf23d3b7ef488a84

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
038835e36a2b377f114c61cc0ed1b2c3

SHA1
144b00624b8d95933e9c159965fc76f0833dd6d0

SHA256
e6785c42c6dbc8e66b374fb842455aae4c52a5361bb28a165e783dcad147eb91

SHA512
88701f62f582fdee57494a4da39cd649174c9d970a0e01cc233604443acb4026bae9aceefc201c8449db64e09c7fb232c9f0d2f81229404142e37202a80ba85c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
038835e36a2b377f114c61cc0ed1b2c3

SHA1
144b00624b8d95933e9c159965fc76f0833dd6d0

SHA256
e6785c42c6dbc8e66b374fb842455aae4c52a5361bb28a165e783dcad147eb91

SHA512
88701f62f582fdee57494a4da39cd649174c9d970a0e01cc233604443acb4026bae9aceefc201c8449db64e09c7fb232c9f0d2f81229404142e37202a80ba85c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
62e1b0ba1357093a0a1b2136ddda9246

SHA1
ad445138332b20281eb037b3ebff2e1bd938d0a5

SHA256
7775ce546dde3a70a54a0164b0f2d551d8cefe452f6ad15191340b1d35f89116

SHA512
09aa1887cfe6d46d18256472e80686e786c67e29fa31b66be35ff6f8d3adb58ec40b785b44a8024b7ee8e95bcf127dfb9322b6a13a3f256ca8e1a66368fca52b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
62e1b0ba1357093a0a1b2136ddda9246

SHA1
ad445138332b20281eb037b3ebff2e1bd938d0a5

SHA256
7775ce546dde3a70a54a0164b0f2d551d8cefe452f6ad15191340b1d35f89116

SHA512
09aa1887cfe6d46d18256472e80686e786c67e29fa31b66be35ff6f8d3adb58ec40b785b44a8024b7ee8e95bcf127dfb9322b6a13a3f256ca8e1a66368fca52b

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
959ab022ffd6eec049b985efcba70340

SHA1
8feb9640041677c09807f3a77636df30604b1687

SHA256
65723ae0384ab25114c70180800e2aa4f282519222dab43c934d8e8e37c0cc58

SHA512
8c652569212fd7929eb65113a060eddd50f64dd818198deb882cf9c159a2ec9269e4fd5a7515860423843200a3104e4398222c49b9aded4a959d6cb9e250897f

Download Submit
\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
959ab022ffd6eec049b985efcba70340

SHA1
8feb9640041677c09807f3a77636df30604b1687

SHA256
65723ae0384ab25114c70180800e2aa4f282519222dab43c934d8e8e37c0cc58

SHA512
8c652569212fd7929eb65113a060eddd50f64dd818198deb882cf9c159a2ec9269e4fd5a7515860423843200a3104e4398222c49b9aded4a959d6cb9e250897f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ccf61aa0a383c110e7813a5f4d21a222

SHA1
d741a29d232ceec4aaa32626002e70a969cf853f

SHA256
112c29077522a9e24517bcc97235a9d18f0bef5cc5716063c72019a8b571a029

SHA512
8df7ff49c3239f2e23bafa219969e02053e0ee60247d9cd2a08b4f409e8d31543381c7dbe9c9460347a5d7a79de5550521f172c2ff3777200b6cbaca0e0540eb

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
ccf61aa0a383c110e7813a5f4d21a222

SHA1
d741a29d232ceec4aaa32626002e70a969cf853f

SHA256
112c29077522a9e24517bcc97235a9d18f0bef5cc5716063c72019a8b571a029

SHA512
8df7ff49c3239f2e23bafa219969e02053e0ee60247d9cd2a08b4f409e8d31543381c7dbe9c9460347a5d7a79de5550521f172c2ff3777200b6cbaca0e0540eb

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d2915647b9f3ba26b1ebd91669423681

SHA1
e9bf4ebdd6d5aad20e76f718e263948bd4419e0b

SHA256
35d6690441129d1671992a66adce373b2969a34050ddb0a922fefbecb105488c

SHA512
0d9d476c25ffcf76c097ea908b3aec822e5232e3633817a685a9ddf574aa786cb7abb986951ce94a77c663354a0b4f18420ace7ec30e4a8d4a5196b0504327a3

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
d2915647b9f3ba26b1ebd91669423681

SHA1
e9bf4ebdd6d5aad20e76f718e263948bd4419e0b

SHA256
35d6690441129d1671992a66adce373b2969a34050ddb0a922fefbecb105488c

SHA512
0d9d476c25ffcf76c097ea908b3aec822e5232e3633817a685a9ddf574aa786cb7abb986951ce94a77c663354a0b4f18420ace7ec30e4a8d4a5196b0504327a3

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b2cedcbb57418c468922439e15a0f12d

SHA1
39c2dd8468caabf75778970438ffd4d76df711ce

SHA256
2bd97ce1100e2eac0457c18b48c10f98175685abb20874a37293e82ccdba130a

SHA512
8f512be5b631dc6e7127c12fa3e4c756b207ccf121199c394f06c340250bbdaedbca2e3b942da449c691f1c5adb66bccf64af73c4a33128a10537ba69070a5fd

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b2cedcbb57418c468922439e15a0f12d

SHA1
39c2dd8468caabf75778970438ffd4d76df711ce

SHA256
2bd97ce1100e2eac0457c18b48c10f98175685abb20874a37293e82ccdba130a

SHA512
8f512be5b631dc6e7127c12fa3e4c756b207ccf121199c394f06c340250bbdaedbca2e3b942da449c691f1c5adb66bccf64af73c4a33128a10537ba69070a5fd

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3ddcad76b8e0f4a996f3db28f099e7c1

SHA1
1a9fadf53905be2042f8f82fbb453d8a94178051

SHA256
c561cd019ee923e9db508c395f13e119e5eae41e2a0a3cecb7776d2f92f63a8d

SHA512
8f66a4e97eaa3980c0da1958c720869b4ae1a7bac3c4c50fb7d69088b1020573c86337f8cf7f6d5ac79b3a20d2daffd80ecd98851993e3c3847c500932f81e8a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
ba3990904e5aa26cd37058bdcfd6da81

SHA1
b65355453f8833a5850101581c10d6e69adc104e

SHA256
8a3c6b437bc1f370a7ca61a59847ee4acdcef4b41825776dfdb322447751d589

SHA512
32376032a8e7318595dbb52dafa3100edad1bd236df20b86d9dad5b2f887d9efb04a35210d40869d94e79ebeaaa9f2f751c73f7b9b74c2883e7aaa33ae16cc86

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f64c6fc934e1d7a012b6cca73205e7c2

SHA1
821eec0ec6e52ac169aea95c31e16610da6cea4e

SHA256
96893e1a76aedcab14d88eac39ef3ac112d1bdd91c8d503161220dec413282f6

SHA512
b1eb657299de6848a7fdc05211e2989bdf53228ac417c3313c7c9ecc525f7e104cf89668b157943668b5cd3b4ffcfdd1121b949e87d640c958bfb04ee6b2adda

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f64c6fc934e1d7a012b6cca73205e7c2

SHA1
821eec0ec6e52ac169aea95c31e16610da6cea4e

SHA256
96893e1a76aedcab14d88eac39ef3ac112d1bdd91c8d503161220dec413282f6

SHA512
b1eb657299de6848a7fdc05211e2989bdf53228ac417c3313c7c9ecc525f7e104cf89668b157943668b5cd3b4ffcfdd1121b949e87d640c958bfb04ee6b2adda

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
c733e488f8c78d1f2737bd9fc178abbe

SHA1
652890d9399c1352ddc85c5597ee0f04599baa68

SHA256
48713b2c45d183b33f3be53874f3215a2968460ea619e1ad9ba7dd635600983f

SHA512
06eafdabdb0ffe885232c3b6f790c4ab1d8d2a02a61ed4ff8a0188c8b87870b08ed0455ac4ae98a9cddce49b29bea5fe91fe736ca8ad7011d690e2f02348fc3c

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
c733e488f8c78d1f2737bd9fc178abbe

SHA1
652890d9399c1352ddc85c5597ee0f04599baa68

SHA256
48713b2c45d183b33f3be53874f3215a2968460ea619e1ad9ba7dd635600983f

SHA512
06eafdabdb0ffe885232c3b6f790c4ab1d8d2a02a61ed4ff8a0188c8b87870b08ed0455ac4ae98a9cddce49b29bea5fe91fe736ca8ad7011d690e2f02348fc3c

Download Submit
\Users\Admin\AppData\Local\Temp\2357837601\backup.exe

Filesize
72KB

MD5
5478cb5350a5341fce25c3513d9d3a91

SHA1
4d7dcf53011a5a71532751d269305e912d8f32db

SHA256
f2aaba26b627e5666c43bb7eb15d878505435467021faf0cdc8526c3d4196a93

SHA512
1f16f89eb183983ab374326f9b73f43f6d334bb5a6e7bc7966ce3966be5f2b75f0a30086aa6d49462c66892e955ca058cd291374ec20586c90c80e3d6da472f6

Download Submit
\Users\Admin\AppData\Local\Temp\2357837601\backup.exe

Filesize
72KB

MD5
5478cb5350a5341fce25c3513d9d3a91

SHA1
4d7dcf53011a5a71532751d269305e912d8f32db

SHA256
f2aaba26b627e5666c43bb7eb15d878505435467021faf0cdc8526c3d4196a93

SHA512
1f16f89eb183983ab374326f9b73f43f6d334bb5a6e7bc7966ce3966be5f2b75f0a30086aa6d49462c66892e955ca058cd291374ec20586c90c80e3d6da472f6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5687dc9b80e078792f34e962f9d3aea9

SHA1
12d2bc6742901df6e034e28c6b1da13159b9bf32

SHA256
064e04942ab8f268d3c74671f4535731d3bf7d849f223dc0ba9522781e52f339

SHA512
3f1929b3b1be05014c161bfb9e82f3b8f89c48b57dc9777399c8fa58b2149f9ff53a2c994eda7b514fe1474a853f39cdb2525235daa9a8b47b4c8c204d070cfa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
74609bad4e70ed98963164c9549586ab

SHA1
a7c020651786142246b5845537e2eedd12d1453e

SHA256
e84e870af4182ff912c8f2816d937e61d37f7b4601af08d523a16d6dbaf87dcc

SHA512
7703cabce1cd97c126ee691dbbaefa6f5c6f8fc43c7e2a8c5083f5425c25ba85dc39b9b7e1ccefcf271337b7c25edfb24abde1a6289a0bdc349b9852166b7b4c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
74609bad4e70ed98963164c9549586ab

SHA1
a7c020651786142246b5845537e2eedd12d1453e

SHA256
e84e870af4182ff912c8f2816d937e61d37f7b4601af08d523a16d6dbaf87dcc

SHA512
7703cabce1cd97c126ee691dbbaefa6f5c6f8fc43c7e2a8c5083f5425c25ba85dc39b9b7e1ccefcf271337b7c25edfb24abde1a6289a0bdc349b9852166b7b4c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f28587392ad75cd5a682b2b4c35ca867

SHA1
9ff5b0d2a9f21419b48228958096443f2aaf9b6c

SHA256
22ee7e36a7601c414f4a8f3157d50f3e59f02d769f73f99e12da733aeed0bc34

SHA512
ed812d002371b0bdca29e443933d8d205286703c8122e990257f847239d5d805ff35d87e8e22fe5db16c982a55ab6a7151fb42231f2e12957ac5810265931719

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
f28587392ad75cd5a682b2b4c35ca867

SHA1
9ff5b0d2a9f21419b48228958096443f2aaf9b6c

SHA256
22ee7e36a7601c414f4a8f3157d50f3e59f02d769f73f99e12da733aeed0bc34

SHA512
ed812d002371b0bdca29e443933d8d205286703c8122e990257f847239d5d805ff35d87e8e22fe5db16c982a55ab6a7151fb42231f2e12957ac5810265931719

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
1d68c43bd73bb6f080e43f5349de03ef

SHA1
9c2e8cd71f2c62bc51cf55f5fd7b98b9a63ddf3d

SHA256
d6678f9f7f0f9b9a5fa5fd708632b0e1252fca8b123f0457a0db2ce8146aab2b

SHA512
5b837cfd50dbb8ccd9256bb6747eebc44694c51cf2f25d638623dcd922d0e04a68f159c3b472e32cb7627dbadd4f0e79f5d6e1b958ceac70a77179478ef0a54a

Download Submit
memory/1732-151-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1732-221-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads