69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
Size

72KB
MD5

0e3ec772c99f07a269e45c914f84bda7
SHA1

49dd8f0fc2fad54475b3935421848c792df94075
SHA256

69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539
SHA512

28204a9764ffe20d02761092292e3cd03220fbb3461ece68e07ac53b47f14cb8b04adb5f9e8153edf62ec727f9de1074f9db1c2ecd48747636a3b2eb3a69507f
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2W:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr6

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1100	backup.exe
1524	backup.exe
984	backup.exe
1088	backup.exe
1184	backup.exe
960	backup.exe
1472	backup.exe
1712	backup.exe
820	backup.exe
1672	backup.exe
1016	backup.exe
1840	backup.exe
1436	backup.exe
1988	backup.exe
1752	backup.exe
464	backup.exe
1852	backup.exe
900	backup.exe
1324	backup.exe
1920	backup.exe
1500	backup.exe
1960	backup.exe
940	backup.exe
1072	backup.exe
304	backup.exe
1180	backup.exe
1796	backup.exe
1808	backup.exe
1736	backup.exe
1352	backup.exe
1844	backup.exe
964	backup.exe
1776	backup.exe
1636	backup.exe
788	backup.exe
1784	update.exe
1664	backup.exe
332	backup.exe
1016	backup.exe
1512	backup.exe
1480	backup.exe
828	backup.exe
576	backup.exe
972	backup.exe
1000	update.exe
1684	backup.exe
1848	backup.exe
1648	backup.exe
1452	backup.exe
1388	backup.exe
1972	backup.exe
1080	backup.exe
792	data.exe
680	backup.exe
1788	backup.exe
1688	backup.exe
1068	backup.exe
1640	backup.exe
1908	backup.exe
1456	backup.exe
1712	backup.exe
1572	backup.exe
1660	backup.exe
520	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
1088	backup.exe
1088	backup.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
960	backup.exe
960	backup.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
1088	backup.exe
1088	backup.exe
1672	backup.exe
1672	backup.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
1016	backup.exe
1016	backup.exe
1672	backup.exe
1672	backup.exe
1988	backup.exe
1988	backup.exe
1752	backup.exe
1752	backup.exe
1752	backup.exe
1752	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1852	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1088	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
1100	backup.exe
1524	backup.exe
984	backup.exe
1088	backup.exe
1184	backup.exe
1472	backup.exe
960	backup.exe
820	backup.exe
1712	backup.exe
1672	backup.exe
1016	backup.exe
1840	backup.exe
1436	backup.exe
1988	backup.exe
1752	backup.exe
464	backup.exe
1852	backup.exe
900	backup.exe
1324	backup.exe
1920	backup.exe
1500	backup.exe
1960	backup.exe
940	backup.exe
1072	backup.exe
304	backup.exe
1180	backup.exe
1796	backup.exe
1808	backup.exe
1736	backup.exe
1352	backup.exe
1844	backup.exe
964	backup.exe
1776	backup.exe
1636	backup.exe
788	backup.exe
1664	backup.exe
332	backup.exe
1016	backup.exe
1512	backup.exe
1480	backup.exe
828	backup.exe
576	backup.exe
972	backup.exe
1848	backup.exe
1684	backup.exe
1648	backup.exe
1452	backup.exe
1388	backup.exe
1972	backup.exe
1080	backup.exe
792	data.exe
680	backup.exe
1788	backup.exe
1688	backup.exe
1068	backup.exe
1640	backup.exe
1908	backup.exe
1456	backup.exe
1712	backup.exe
1572	backup.exe
1660	backup.exe
520	backup.exe
1436	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1100	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	26
PID 368 wrote to memory of 1100	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	26
PID 368 wrote to memory of 1100	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	26
PID 368 wrote to memory of 1100	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	26
PID 368 wrote to memory of 1524	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	27
PID 368 wrote to memory of 1524	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	27
PID 368 wrote to memory of 1524	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	27
PID 368 wrote to memory of 1524	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	27
PID 368 wrote to memory of 984	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	28
PID 368 wrote to memory of 984	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	28
PID 368 wrote to memory of 984	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	28
PID 368 wrote to memory of 984	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	28
PID 1100 wrote to memory of 1088	1100	backup.exe	29
PID 1100 wrote to memory of 1088	1100	backup.exe	29
PID 1100 wrote to memory of 1088	1100	backup.exe	29
PID 1100 wrote to memory of 1088	1100	backup.exe	29
PID 368 wrote to memory of 1184	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	30
PID 368 wrote to memory of 1184	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	30
PID 368 wrote to memory of 1184	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	30
PID 368 wrote to memory of 1184	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	30
PID 1088 wrote to memory of 960	1088	backup.exe	31
PID 1088 wrote to memory of 960	1088	backup.exe	31
PID 1088 wrote to memory of 960	1088	backup.exe	31
PID 1088 wrote to memory of 960	1088	backup.exe	31
PID 368 wrote to memory of 1472	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	32
PID 368 wrote to memory of 1472	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	32
PID 368 wrote to memory of 1472	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	32
PID 368 wrote to memory of 1472	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	32
PID 960 wrote to memory of 1712	960	backup.exe	33
PID 960 wrote to memory of 1712	960	backup.exe	33
PID 960 wrote to memory of 1712	960	backup.exe	33
PID 960 wrote to memory of 1712	960	backup.exe	33
PID 368 wrote to memory of 820	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	34
PID 368 wrote to memory of 820	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	34
PID 368 wrote to memory of 820	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	34
PID 368 wrote to memory of 820	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	34
PID 1088 wrote to memory of 1672	1088	backup.exe	35
PID 1088 wrote to memory of 1672	1088	backup.exe	35
PID 1088 wrote to memory of 1672	1088	backup.exe	35
PID 1088 wrote to memory of 1672	1088	backup.exe	35
PID 1672 wrote to memory of 1016	1672	backup.exe	36
PID 1672 wrote to memory of 1016	1672	backup.exe	36
PID 1672 wrote to memory of 1016	1672	backup.exe	36
PID 1672 wrote to memory of 1016	1672	backup.exe	36
PID 368 wrote to memory of 1840	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	37
PID 368 wrote to memory of 1840	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	37
PID 368 wrote to memory of 1840	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	37
PID 368 wrote to memory of 1840	368	69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe	37
PID 1016 wrote to memory of 1436	1016	backup.exe	38
PID 1016 wrote to memory of 1436	1016	backup.exe	38
PID 1016 wrote to memory of 1436	1016	backup.exe	38
PID 1016 wrote to memory of 1436	1016	backup.exe	38
PID 1672 wrote to memory of 1988	1672	backup.exe	39
PID 1672 wrote to memory of 1988	1672	backup.exe	39
PID 1672 wrote to memory of 1988	1672	backup.exe	39
PID 1672 wrote to memory of 1988	1672	backup.exe	39
PID 1988 wrote to memory of 1752	1988	backup.exe	40
PID 1988 wrote to memory of 1752	1988	backup.exe	40
PID 1988 wrote to memory of 1752	1988	backup.exe	40
PID 1988 wrote to memory of 1752	1988	backup.exe	40
PID 1752 wrote to memory of 464	1752	backup.exe	41
PID 1752 wrote to memory of 464	1752	backup.exe	41
PID 1752 wrote to memory of 464	1752	backup.exe	41
PID 1752 wrote to memory of 464	1752	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe

C:\Users\Admin\AppData\Local\Temp\69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe
"C:\Users\Admin\AppData\Local\Temp\69ffabf14c1999c608f7b7d0a5612c8644d6b66ddcb9a4c8fdc2cf2e4261a539.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\4159384692\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4159384692\backup.exe C:\Users\Admin\AppData\Local\Temp\4159384692\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1100
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1088
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1672
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1016
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1988
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2420
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2108
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2216
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2348
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2444
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2132
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:828
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files\Common Files\System\ado\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\data.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:792
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\System\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\en-US\System Restore.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1592
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:656
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1788
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1012
        
        C:\Program Files\Common Files\System\msadc\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\data.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1312
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1056
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:304
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
      - C:\Program Files\DVD Maker\en-US\update.exe
        
        "C:\Program Files\DVD Maker\en-US\update.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1000
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1116
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1708
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1292
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1796
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        System policy modification
        
        PID:976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1184
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1716
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1608
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2116
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2272
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2428
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1168
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2084
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2180
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2332
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2452
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:760
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2076
      - C:\Program Files\Java\jre7\System Restore.exe
        
        "C:\Program Files\Java\jre7\System Restore.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2188
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1116
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:2340
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2460
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:672
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2148
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2296
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2396
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1776
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        System policy modification
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2172
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1268
      - C:\Program Files (x86)\Common Files\Adobe\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\update.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:1648
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1388
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:556
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:960
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:520
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1584
      - C:\Program Files (x86)\Common Files\Adobe AIR\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1704
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:948
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1772
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2140
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2264
      - C:\Program Files (x86)\Common Files\System\update.exe
        
        "C:\Program Files (x86)\Common Files\System\update.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2436
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1780
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1360
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1364
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1488
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2404
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:648
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1564
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1324
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1080
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1624
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1312
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1744
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1596
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1928
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1460
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2164
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2304
      - C:\Users\Admin\Videos\data.exe
        
        C:\Users\Admin\Videos\data.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2412
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:792
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1180
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:984
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:820
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ea9546deeb64ea910aa394475c0da9df

SHA1
bdbdbfe57de1cd52c892c4078b93abfe8c917219

SHA256
bef9a7d6c8fcc979b1d91b2db10377867012b6437a280dce1d79d7c892eb4441

SHA512
ca7608ad9d539c6a55cd73c7036579e29498f7842365dd582c80b6a05d36b4b450c034fa802b226f549cc21a4d213a173005e54361e4b02e5d3ae58b6b097ac6

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
cceb6b967b673bdf7d2d651d45e76573

SHA1
a83435db91ebfbd36b034f03f59dadfe2bf6306d

SHA256
de4f0857fa27a9a0314bf45ce6d89478e11260d6afb904f213fb72b9e6055749

SHA512
61509903b6dc5b7f9791bf3ec21b2cd47efe0bf7b200e6246ff4287c8d5cfd21ccd27c91991300d18c9c5bb1fb05789503316183c42b04b96928a18ac22663b3

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
cceb6b967b673bdf7d2d651d45e76573

SHA1
a83435db91ebfbd36b034f03f59dadfe2bf6306d

SHA256
de4f0857fa27a9a0314bf45ce6d89478e11260d6afb904f213fb72b9e6055749

SHA512
61509903b6dc5b7f9791bf3ec21b2cd47efe0bf7b200e6246ff4287c8d5cfd21ccd27c91991300d18c9c5bb1fb05789503316183c42b04b96928a18ac22663b3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
864b77aaf476a233141bc0003bb166de

SHA1
095344a45773e85a5dd53a3b8d5797fbe1890487

SHA256
9635ef8a82177340831352a5a491e4b41fd7b5dbcb34bdc365a99dd415f0ee26

SHA512
79bafc10bddc2ab8308466961da0a13b846f72e214ae52db93f604ca42fb499eba4f41d24e9bb8682daebb1883b8942f2edd26a61e6f323d1888369b5c988bc4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ea238397eca54e35172d068bc1ee6594

SHA1
b11ac61ee4b54be064fee4c22fa9187c947b2fc3

SHA256
9fc2d61725930391362b2d0c78063b8cd11a0065fe48a8418d2248c9429e6446

SHA512
25f2a16d367c52e9c314c4b09c73b7b1ae0e1d61a604900b44772edfc83088515449ac8b1d126cd1b1937c4e8a362cbe49ac0789c833f3b768062414801c5151

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ea238397eca54e35172d068bc1ee6594

SHA1
b11ac61ee4b54be064fee4c22fa9187c947b2fc3

SHA256
9fc2d61725930391362b2d0c78063b8cd11a0065fe48a8418d2248c9429e6446

SHA512
25f2a16d367c52e9c314c4b09c73b7b1ae0e1d61a604900b44772edfc83088515449ac8b1d126cd1b1937c4e8a362cbe49ac0789c833f3b768062414801c5151

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
cb50b814817ef38a26635da51da5f9dd

SHA1
ce4293949ba398551441a17c6c403a02f12cf9c3

SHA256
98fd581a76c4e0bcc5b819ddd113659c40645bbf4cf4299223693941231e653a

SHA512
5016ad4508c4250b4ee822ea7e35784776559ca972cc6b3afe38a3a6324e0b2149fc39507ec37416039ec4889b9903dfdd2a1f00b201ff0576b5b0d84a121646

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
cb50b814817ef38a26635da51da5f9dd

SHA1
ce4293949ba398551441a17c6c403a02f12cf9c3

SHA256
98fd581a76c4e0bcc5b819ddd113659c40645bbf4cf4299223693941231e653a

SHA512
5016ad4508c4250b4ee822ea7e35784776559ca972cc6b3afe38a3a6324e0b2149fc39507ec37416039ec4889b9903dfdd2a1f00b201ff0576b5b0d84a121646

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
06f10fcba35f52cc013d1926a3b0b183

SHA1
4b6b58d3ee15757ea060971fed978e4fa25bc7b5

SHA256
9b4f5973eb7f7aaf43b9b1952b80907a2cc8ccc53ac855dd06d471519c5c35da

SHA512
5d7b9041085b343a89520cba57f9c94679c9c268b1a9b80037b3397335217bb2b5339221be2db35e045a1effade0197cf96319ba04a2a3f69e354cde1961cfb6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
06f10fcba35f52cc013d1926a3b0b183

SHA1
4b6b58d3ee15757ea060971fed978e4fa25bc7b5

SHA256
9b4f5973eb7f7aaf43b9b1952b80907a2cc8ccc53ac855dd06d471519c5c35da

SHA512
5d7b9041085b343a89520cba57f9c94679c9c268b1a9b80037b3397335217bb2b5339221be2db35e045a1effade0197cf96319ba04a2a3f69e354cde1961cfb6

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5e4abe4543acf3a6feb5e5d5e7af5b0c

SHA1
d0b7c3c6df49e743ed9819863dab820ba92cabac

SHA256
e1616c7c7f867abe32494e6071d5be3b421b839d08373c3a22431c7a1cf29799

SHA512
300726858743521faca51ef4f5ab75980baa08b57b750711d17af86baa30a3549189849e3ee64a6a4df30c3ba70ddca3d8341ae1f95b7d6aa04c4e2894ccb94e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5e4abe4543acf3a6feb5e5d5e7af5b0c

SHA1
d0b7c3c6df49e743ed9819863dab820ba92cabac

SHA256
e1616c7c7f867abe32494e6071d5be3b421b839d08373c3a22431c7a1cf29799

SHA512
300726858743521faca51ef4f5ab75980baa08b57b750711d17af86baa30a3549189849e3ee64a6a4df30c3ba70ddca3d8341ae1f95b7d6aa04c4e2894ccb94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4159384692\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4159384692\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5bbf7ff65cbfbef6313bc2eac99e38a6

SHA1
c0223f8effb1d5f9e6127ece5f37f383ea0161a5

SHA256
e50bb8de1311bd1b88ff547e895e821306b58ff8e558b944d271c28cf476a7e0

SHA512
7748afff7743621a10d2cc2914fbbca66e8fb0a894905f47e10e8220c6ebe1ecfd7d228775b6084f67b15cac3e58aea03b09958b4ac74a4c0eb7d12dbbc3f0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d4b0216a2d7691ae42d1dc6b7597ad18

SHA1
4485e102f19ca33b0ae7aa45e5a3fa191c98f4fe

SHA256
12b2bb450be275d00cbe9b49d7e9eeec7d0b5ddf7089ab8e9abe00dce0d8dfa6

SHA512
ac7906115f1ea5be646d285936b996a48dabaf139154e6d7505704671b5124bbffb8476071939b9c934337705e92b93e57575e76b49126ce596b20b1b2a0c6a9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
d4b0216a2d7691ae42d1dc6b7597ad18

SHA1
4485e102f19ca33b0ae7aa45e5a3fa191c98f4fe

SHA256
12b2bb450be275d00cbe9b49d7e9eeec7d0b5ddf7089ab8e9abe00dce0d8dfa6

SHA512
ac7906115f1ea5be646d285936b996a48dabaf139154e6d7505704671b5124bbffb8476071939b9c934337705e92b93e57575e76b49126ce596b20b1b2a0c6a9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ea9546deeb64ea910aa394475c0da9df

SHA1
bdbdbfe57de1cd52c892c4078b93abfe8c917219

SHA256
bef9a7d6c8fcc979b1d91b2db10377867012b6437a280dce1d79d7c892eb4441

SHA512
ca7608ad9d539c6a55cd73c7036579e29498f7842365dd582c80b6a05d36b4b450c034fa802b226f549cc21a4d213a173005e54361e4b02e5d3ae58b6b097ac6

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ea9546deeb64ea910aa394475c0da9df

SHA1
bdbdbfe57de1cd52c892c4078b93abfe8c917219

SHA256
bef9a7d6c8fcc979b1d91b2db10377867012b6437a280dce1d79d7c892eb4441

SHA512
ca7608ad9d539c6a55cd73c7036579e29498f7842365dd582c80b6a05d36b4b450c034fa802b226f549cc21a4d213a173005e54361e4b02e5d3ae58b6b097ac6

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
cceb6b967b673bdf7d2d651d45e76573

SHA1
a83435db91ebfbd36b034f03f59dadfe2bf6306d

SHA256
de4f0857fa27a9a0314bf45ce6d89478e11260d6afb904f213fb72b9e6055749

SHA512
61509903b6dc5b7f9791bf3ec21b2cd47efe0bf7b200e6246ff4287c8d5cfd21ccd27c91991300d18c9c5bb1fb05789503316183c42b04b96928a18ac22663b3

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
cceb6b967b673bdf7d2d651d45e76573

SHA1
a83435db91ebfbd36b034f03f59dadfe2bf6306d

SHA256
de4f0857fa27a9a0314bf45ce6d89478e11260d6afb904f213fb72b9e6055749

SHA512
61509903b6dc5b7f9791bf3ec21b2cd47efe0bf7b200e6246ff4287c8d5cfd21ccd27c91991300d18c9c5bb1fb05789503316183c42b04b96928a18ac22663b3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
864b77aaf476a233141bc0003bb166de

SHA1
095344a45773e85a5dd53a3b8d5797fbe1890487

SHA256
9635ef8a82177340831352a5a491e4b41fd7b5dbcb34bdc365a99dd415f0ee26

SHA512
79bafc10bddc2ab8308466961da0a13b846f72e214ae52db93f604ca42fb499eba4f41d24e9bb8682daebb1883b8942f2edd26a61e6f323d1888369b5c988bc4

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
864b77aaf476a233141bc0003bb166de

SHA1
095344a45773e85a5dd53a3b8d5797fbe1890487

SHA256
9635ef8a82177340831352a5a491e4b41fd7b5dbcb34bdc365a99dd415f0ee26

SHA512
79bafc10bddc2ab8308466961da0a13b846f72e214ae52db93f604ca42fb499eba4f41d24e9bb8682daebb1883b8942f2edd26a61e6f323d1888369b5c988bc4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ea238397eca54e35172d068bc1ee6594

SHA1
b11ac61ee4b54be064fee4c22fa9187c947b2fc3

SHA256
9fc2d61725930391362b2d0c78063b8cd11a0065fe48a8418d2248c9429e6446

SHA512
25f2a16d367c52e9c314c4b09c73b7b1ae0e1d61a604900b44772edfc83088515449ac8b1d126cd1b1937c4e8a362cbe49ac0789c833f3b768062414801c5151

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ea238397eca54e35172d068bc1ee6594

SHA1
b11ac61ee4b54be064fee4c22fa9187c947b2fc3

SHA256
9fc2d61725930391362b2d0c78063b8cd11a0065fe48a8418d2248c9429e6446

SHA512
25f2a16d367c52e9c314c4b09c73b7b1ae0e1d61a604900b44772edfc83088515449ac8b1d126cd1b1937c4e8a362cbe49ac0789c833f3b768062414801c5151

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
cb50b814817ef38a26635da51da5f9dd

SHA1
ce4293949ba398551441a17c6c403a02f12cf9c3

SHA256
98fd581a76c4e0bcc5b819ddd113659c40645bbf4cf4299223693941231e653a

SHA512
5016ad4508c4250b4ee822ea7e35784776559ca972cc6b3afe38a3a6324e0b2149fc39507ec37416039ec4889b9903dfdd2a1f00b201ff0576b5b0d84a121646

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
cb50b814817ef38a26635da51da5f9dd

SHA1
ce4293949ba398551441a17c6c403a02f12cf9c3

SHA256
98fd581a76c4e0bcc5b819ddd113659c40645bbf4cf4299223693941231e653a

SHA512
5016ad4508c4250b4ee822ea7e35784776559ca972cc6b3afe38a3a6324e0b2149fc39507ec37416039ec4889b9903dfdd2a1f00b201ff0576b5b0d84a121646

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6295c0b2027b297d486252d5e838998b

SHA1
28d0b69eff0cce18c7e934e6d5e033588a9ae43c

SHA256
230c9b29cfc200f9fd3c793bd416ba2be4d4d6d119dd2134b2c475e53a712257

SHA512
bcc8eb4e806501b56bd7f55561bb04d300f25032ca539025613b5a9601a0850331b9d2adcbf627399181013d6a8520edb943f78730b5494a28d232619b63fc2a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
2e004c059311a7e83b86a26966054170

SHA1
1ebc12627a23e795224b54221a44c5ee0850044b

SHA256
0ec45755bcb8c8e1e792811913244de068dce56c0933688da5b229abbbe79716

SHA512
4e16fbe9afbc803c68d8d98c71769ee163293dd445a9ab7f482c195697ea44b617962eb25eb461ff4235e313876c4cfff11a189e72f550dcd05bbdc62922ccf1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
801a7481d4f7b65e7f53c85a228e2039

SHA1
1de475ec0c19f10d6779328e580a9bf99fb7b887

SHA256
328b1e34270373c3798990fba643f583ad3d53cd0a46e5f0a8f98f2fa832b7e5

SHA512
50697be272e667688f2c2dce4f8544a7a29b3c876c006ac789012fd0d82c447e6edb25f7c8895c4023465d7996f3a147c588d82e21960a7ff69750d7a5b901e2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
06f10fcba35f52cc013d1926a3b0b183

SHA1
4b6b58d3ee15757ea060971fed978e4fa25bc7b5

SHA256
9b4f5973eb7f7aaf43b9b1952b80907a2cc8ccc53ac855dd06d471519c5c35da

SHA512
5d7b9041085b343a89520cba57f9c94679c9c268b1a9b80037b3397335217bb2b5339221be2db35e045a1effade0197cf96319ba04a2a3f69e354cde1961cfb6

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
06f10fcba35f52cc013d1926a3b0b183

SHA1
4b6b58d3ee15757ea060971fed978e4fa25bc7b5

SHA256
9b4f5973eb7f7aaf43b9b1952b80907a2cc8ccc53ac855dd06d471519c5c35da

SHA512
5d7b9041085b343a89520cba57f9c94679c9c268b1a9b80037b3397335217bb2b5339221be2db35e045a1effade0197cf96319ba04a2a3f69e354cde1961cfb6

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5e4abe4543acf3a6feb5e5d5e7af5b0c

SHA1
d0b7c3c6df49e743ed9819863dab820ba92cabac

SHA256
e1616c7c7f867abe32494e6071d5be3b421b839d08373c3a22431c7a1cf29799

SHA512
300726858743521faca51ef4f5ab75980baa08b57b750711d17af86baa30a3549189849e3ee64a6a4df30c3ba70ddca3d8341ae1f95b7d6aa04c4e2894ccb94e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5e4abe4543acf3a6feb5e5d5e7af5b0c

SHA1
d0b7c3c6df49e743ed9819863dab820ba92cabac

SHA256
e1616c7c7f867abe32494e6071d5be3b421b839d08373c3a22431c7a1cf29799

SHA512
300726858743521faca51ef4f5ab75980baa08b57b750711d17af86baa30a3549189849e3ee64a6a4df30c3ba70ddca3d8341ae1f95b7d6aa04c4e2894ccb94e

Download Submit
\Users\Admin\AppData\Local\Temp\4159384692\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
\Users\Admin\AppData\Local\Temp\4159384692\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
002f7775f35ae54e331b5a3d813c61bd

SHA1
4d7f6dedf466caa860cd61944f6c4ebc69a171e1

SHA256
8f5de17ac8106c66c62bc506e1c0d05b92ec8d2c00c785ce145dc52c2b17ca02

SHA512
cae1413e7283b20ffd6fa54e4c53fe85391bb823d31df3c877c7c26de729884e64d814a2592a2af079cd46bfdb730e17b56c591021b76903359737398b47daa4

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5bbf7ff65cbfbef6313bc2eac99e38a6

SHA1
c0223f8effb1d5f9e6127ece5f37f383ea0161a5

SHA256
e50bb8de1311bd1b88ff547e895e821306b58ff8e558b944d271c28cf476a7e0

SHA512
7748afff7743621a10d2cc2914fbbca66e8fb0a894905f47e10e8220c6ebe1ecfd7d228775b6084f67b15cac3e58aea03b09958b4ac74a4c0eb7d12dbbc3f0d8

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
5bbf7ff65cbfbef6313bc2eac99e38a6

SHA1
c0223f8effb1d5f9e6127ece5f37f383ea0161a5

SHA256
e50bb8de1311bd1b88ff547e895e821306b58ff8e558b944d271c28cf476a7e0

SHA512
7748afff7743621a10d2cc2914fbbca66e8fb0a894905f47e10e8220c6ebe1ecfd7d228775b6084f67b15cac3e58aea03b09958b4ac74a4c0eb7d12dbbc3f0d8

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2daaab559da5133b87a82ae34d1fbf4d

SHA1
9ceddb6658d0a61ce6fa73c999b3b49fbd6f1aff

SHA256
afb2189da757072658177d854b996f70c2b4721008ef806fbc5c68d9655d7327

SHA512
f238e2447bc9466503b20d4087f0c7839600dbc5096bbebb1a4cdc34afa92a61ca5b2e89287e8b378f7a4c11400a39a1c5748b5c54c864473684b9f34851546a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
526bd04ac93837cc4d193e726c6175e0

SHA1
d8b002f78130d4f609a4e869192fddbda57466a6

SHA256
3461d31590625dc3af6d918de97359977344de0fe39e96b87a59638016f3624a

SHA512
83a45848c62ea220611a2df71fbd6b3c2a8c6ab32c55963840bf811de7bf734b311262512f31bbae5700a350efd69ac8d7566b8db6a2885a148517e6a285e073

Download Submit
memory/368-143-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads