098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
Size

72KB
MD5

0cf0f869ef7f6af38efb793abad511de
SHA1

17518061aaeddc93ccafe02d5722589fd3b8dc78
SHA256

098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58
SHA512

526199da135641172aeb3213a2d908026eacf7fb04733d42f03be767c365d1d65ecd31ca1afeba97af4126e321749d4e30dbada9a0359c9d75443a32cdf7720c
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2J:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrl

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1316	backup.exe
1092	update.exe
856	update.exe
560	update.exe
1644	backup.exe
1580	backup.exe
1796	backup.exe
1648	backup.exe
772	backup.exe
2044	data.exe
1412	backup.exe
1964	data.exe
1776	backup.exe
1676	backup.exe
1848	update.exe
1696	backup.exe
840	backup.exe
1236	backup.exe
1052	backup.exe
1108	backup.exe
1428	backup.exe
976	backup.exe
1588	backup.exe
520	backup.exe
920	backup.exe
1256	backup.exe
1436	backup.exe
964	backup.exe
2012	backup.exe
1544	backup.exe
2020	data.exe
1968	backup.exe
772	System Restore.exe
812	backup.exe
860	backup.exe
1944	backup.exe
1656	backup.exe
1808	backup.exe
1156	backup.exe
1884	backup.exe
1764	backup.exe
1748	backup.exe
968	backup.exe
536	backup.exe
516	backup.exe
884	backup.exe
1932	backup.exe
560	backup.exe
1152	backup.exe
1680	backup.exe
1336	backup.exe
1796	backup.exe
820	backup.exe
1728	backup.exe
916	data.exe
1972	backup.exe
600	backup.exe
528	backup.exe
1636	backup.exe
768	backup.exe
1020	backup.exe
1396	backup.exe
1980	update.exe
944	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1092	update.exe
1092	update.exe
1092	update.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
856	update.exe
856	update.exe
856	update.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
560	update.exe
560	update.exe
560	update.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1648	backup.exe
1648	backup.exe
772	backup.exe
772	backup.exe
1648	backup.exe
1648	backup.exe
1412	backup.exe
1412	backup.exe
1964	data.exe
1964	data.exe
1412	backup.exe
1412	backup.exe
1676	backup.exe
1848	update.exe
1848	update.exe
1848	update.exe
1848	update.exe
1848	update.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1848	update.exe
1848	update.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
840	backup.exe
840	backup.exe
1052	backup.exe
1052	backup.exe
1052	backup.exe
840	backup.exe
840	backup.exe
1108	backup.exe
1108	backup.exe
1108	backup.exe
840	backup.exe
840	backup.exe
1428	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
1316	backup.exe
1092	update.exe
856	update.exe
560	update.exe
1644	backup.exe
1580	backup.exe
1796	backup.exe
1648	backup.exe
772	backup.exe
2044	data.exe
1412	backup.exe
1964	data.exe
1776	backup.exe
1676	backup.exe
1848	update.exe
1696	backup.exe
840	backup.exe
1236	backup.exe
1052	backup.exe
1108	backup.exe
1428	backup.exe
976	backup.exe
1588	backup.exe
520	backup.exe
920	backup.exe
1256	backup.exe
1436	backup.exe
964	backup.exe
2012	backup.exe
1544	backup.exe
2020	data.exe
1968	backup.exe
772	System Restore.exe
812	backup.exe
860	backup.exe
1944	backup.exe
1656	backup.exe
1808	backup.exe
1156	backup.exe
1884	backup.exe
1764	backup.exe
1748	backup.exe
968	backup.exe
536	backup.exe
516	backup.exe
884	backup.exe
1932	backup.exe
560	backup.exe
1152	backup.exe
1680	backup.exe
1336	backup.exe
1796	backup.exe
820	backup.exe
1728	backup.exe
916	data.exe
1972	backup.exe
600	backup.exe
528	backup.exe
1636	backup.exe
768	backup.exe
1020	backup.exe
1396	backup.exe
1980	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1316	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	27
PID 1760 wrote to memory of 1316	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	27
PID 1760 wrote to memory of 1316	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	27
PID 1760 wrote to memory of 1316	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	27
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 1092	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	28
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 856	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	29
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 560	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	30
PID 1760 wrote to memory of 1644	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	31
PID 1760 wrote to memory of 1644	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	31
PID 1760 wrote to memory of 1644	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	31
PID 1760 wrote to memory of 1644	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	31
PID 1760 wrote to memory of 1580	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	32
PID 1760 wrote to memory of 1580	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	32
PID 1760 wrote to memory of 1580	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	32
PID 1760 wrote to memory of 1580	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	32
PID 1760 wrote to memory of 1796	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	33
PID 1760 wrote to memory of 1796	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	33
PID 1760 wrote to memory of 1796	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	33
PID 1760 wrote to memory of 1796	1760	098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe	33
PID 1316 wrote to memory of 1648	1316	backup.exe	34
PID 1316 wrote to memory of 1648	1316	backup.exe	34
PID 1316 wrote to memory of 1648	1316	backup.exe	34
PID 1316 wrote to memory of 1648	1316	backup.exe	34
PID 1648 wrote to memory of 772	1648	backup.exe	35
PID 1648 wrote to memory of 772	1648	backup.exe	35
PID 1648 wrote to memory of 772	1648	backup.exe	35
PID 1648 wrote to memory of 772	1648	backup.exe	35
PID 772 wrote to memory of 2044	772	backup.exe	36
PID 772 wrote to memory of 2044	772	backup.exe	36
PID 772 wrote to memory of 2044	772	backup.exe	36
PID 772 wrote to memory of 2044	772	backup.exe	36
PID 1648 wrote to memory of 1412	1648	backup.exe	37
PID 1648 wrote to memory of 1412	1648	backup.exe	37
PID 1648 wrote to memory of 1412	1648	backup.exe	37
PID 1648 wrote to memory of 1412	1648	backup.exe	37
PID 1412 wrote to memory of 1964	1412	backup.exe	38
PID 1412 wrote to memory of 1964	1412	backup.exe	38
PID 1412 wrote to memory of 1964	1412	backup.exe	38
PID 1412 wrote to memory of 1964	1412	backup.exe	38
PID 1964 wrote to memory of 1776	1964	data.exe	39
PID 1964 wrote to memory of 1776	1964	data.exe	39
PID 1964 wrote to memory of 1776	1964	data.exe	39
PID 1964 wrote to memory of 1776	1964	data.exe	39
PID 1412 wrote to memory of 1676	1412	backup.exe	40
PID 1412 wrote to memory of 1676	1412	backup.exe	40
PID 1412 wrote to memory of 1676	1412	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe
"C:\Users\Admin\AppData\Local\Temp\098657fd08f887c6b95d507bbaafbbfc6b4347c967d1b171159372e934d1dc58.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\1016099050\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1016099050\backup.exe C:\Users\Admin\AppData\Local\Temp\1016099050\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\PerfLogs\Admin\data.exe
        
        C:\PerfLogs\Admin\data.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Program Files\7-Zip\data.exe
        
        "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1776
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:516
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1044
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Drops file in Program Files directory
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Drops file in Program Files directory
        
        PID:1832
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1296
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:928
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:432
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1716
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2024
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:600
        
        C:\Program Files\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1776
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:888
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1732
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1660
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1432
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:580
        
        C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:600
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1052
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:584
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1868
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:884
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:916
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:968
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:916
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1628
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1092
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:848
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:960
      - C:\Program Files\DVD Maker\en-US\update.exe
        
        "C:\Program Files\DVD Maker\en-US\update.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1656
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:536
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1428
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        System policy modification
        
        PID:1992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1484
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:840
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1156
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:516
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:520
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1892
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1144
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1400
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        Disables RegEdit via registry modification
        
        PID:964
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:860
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        System policy modification
        
        PID:976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:848
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:1796
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1732
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:2044
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1380
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1980
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1064
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:1512
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        System policy modification
        
        PID:1168
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1088
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        System policy modification
        
        PID:1584
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:772
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        System policy modification
        
        PID:1956
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1808
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:740
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:740
    - - C:\Program Files\Internet Explorer\System Restore.exe
        
        "C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1660
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1980
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1572
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1628
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:980
      - C:\Program Files\Internet Explorer\images\update.exe
        
        "C:\Program Files\Internet Explorer\images\update.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:572
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1832
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1296
      - C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1832
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2040
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Drops file in Program Files directory
        
        PID:1852
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:1636
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        Disables RegEdit via registry modification
        
        PID:620
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        
        PID:1792
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:840
        
        C:\Program Files\Java\jdk1.7.0_80\include\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:972
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:928
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1484
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Drops file in Program Files directory
        
        PID:1108
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:888
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:772
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:432
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:696
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        System policy modification
        
        PID:948
        
        C:\Program Files\Microsoft Games\Chess\it-IT\update.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\update.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:572
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1648
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1980
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:972
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1428
        
        C:\Program Files\Microsoft Office\Office14\1033\update.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\update.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:976
    - - C:\Program Files\Mozilla Firefox\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\System Restore.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:1880
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:1272
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:1000
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:1796
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1772
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2008
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:1888
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:380
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1256
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1372
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        System policy modification
        
        PID:956
      - C:\Program Files\Reference Assemblies\Microsoft\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\update.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1252
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:964
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:2008
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:1256
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1044
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:2028
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Drops file in Program Files directory
        
        PID:1600
      - C:\Program Files (x86)\Adobe\Reader 9.0\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        System policy modification
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1372
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Drops file in Program Files directory
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        System policy modification
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        System policy modification
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1128
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:1848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1992
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1284
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:920
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:676
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Drops file in Program Files directory
        
        PID:536
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1428
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1656
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:560
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1628
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1336
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2008
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1632
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1632
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1492
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:112
        
        C:\Program Files (x86)\Google\Update\Install\data.exe
        
        "C:\Program Files (x86)\Google\Update\Install\data.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:620
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:568
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1400
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1800
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1016
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1680
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        System policy modification
        
        PID:2032
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2024
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1868
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1656
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:1036
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1000
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
    - - C:\Program Files (x86)\Microsoft Office\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\update.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1580
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1388
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
        7⤵
        
        PID:1616
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
        7⤵
        System policy modification
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:860
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        7⤵
        
        PID:1724
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        7⤵
        
        PID:1776
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:1984
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:956
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\
        7⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:820
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:580
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\
        7⤵
        System policy modification
        
        PID:268
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\
        8⤵
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:772
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1372
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\
        9⤵
        
        PID:1932
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2000
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\data.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\data.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1724
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
      - C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\
        6⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:572
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1020
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:548
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:944
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1616
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:696
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1676
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1436
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:460
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1252
      - C:\Users\Admin\Pictures\update.exe
        
        C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1964
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
      - C:\Users\Admin\Searches\update.exe
        
        C:\Users\Admin\Searches\update.exe C:\Users\Admin\Searches\
        6⤵
        Disables RegEdit via registry modification
        
        PID:972
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:432
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1084
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:980
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        System policy modification
        
        PID:664
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1020
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1356
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1884
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1588
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:1716
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1016
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1984
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:1800
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        System policy modification
        
        PID:1044
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1636
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1380
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:772
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1036
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2032
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:560
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
e4d3c0782d4e5ee9e304fd9665614ce4

SHA1
94a3dad66e06843a1af2d881669b236ab060ae9d

SHA256
3bd171662884d5e08f1ae869c0009916e57a34214b07863d6ded81148df23ceb

SHA512
54a92b650bc9d4431b39f5232d0f65fa37b770822d12b9eb609edec01a5a88a13a958238491115c2818ee1aee4a583e1be3d74f66463df4aecd1749133c45f55

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d16fdc6af34e4bb2fc9f58813f635b24

SHA1
88dd4f87a90518bb4821259bc44d8220cbbb37a6

SHA256
5395e88bf7bf888619ce7baa3f7abce90e00e89d6f4c58aa1d6a3de7a2dcb673

SHA512
a1809a1646a866d9a7b8ba769d43ec65185f0a54027d07ffdbe7aad49eb2ef66ba9cc194f5f9170cfa03e35f60fd6b680c4cd9f69db87d98153f6dc6e3948b66

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016099050\backup.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016099050\backup.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4fc6b914a58d8148f82203a7d71d946c

SHA1
72eeb21b0de252e2bfe71869fc10cfa9cc5e87d3

SHA256
f0958f6d4b11709022794bc518d7165ce0126359b0a2ccbb0739788bb128f62b

SHA512
846481982dc3cc1d14d7ea9b1d2385825bbae3a8ad5df1b2360f88b5fa4d9dfc37259366c0abb7309761202b9534ab8f73280d95c7747339c988c2cae35dbfb9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4fc6b914a58d8148f82203a7d71d946c

SHA1
72eeb21b0de252e2bfe71869fc10cfa9cc5e87d3

SHA256
f0958f6d4b11709022794bc518d7165ce0126359b0a2ccbb0739788bb128f62b

SHA512
846481982dc3cc1d14d7ea9b1d2385825bbae3a8ad5df1b2360f88b5fa4d9dfc37259366c0abb7309761202b9534ab8f73280d95c7747339c988c2cae35dbfb9

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
e4d3c0782d4e5ee9e304fd9665614ce4

SHA1
94a3dad66e06843a1af2d881669b236ab060ae9d

SHA256
3bd171662884d5e08f1ae869c0009916e57a34214b07863d6ded81148df23ceb

SHA512
54a92b650bc9d4431b39f5232d0f65fa37b770822d12b9eb609edec01a5a88a13a958238491115c2818ee1aee4a583e1be3d74f66463df4aecd1749133c45f55

Download Submit
\PerfLogs\Admin\data.exe

Filesize
72KB

MD5
e4d3c0782d4e5ee9e304fd9665614ce4

SHA1
94a3dad66e06843a1af2d881669b236ab060ae9d

SHA256
3bd171662884d5e08f1ae869c0009916e57a34214b07863d6ded81148df23ceb

SHA512
54a92b650bc9d4431b39f5232d0f65fa37b770822d12b9eb609edec01a5a88a13a958238491115c2818ee1aee4a583e1be3d74f66463df4aecd1749133c45f55

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d16fdc6af34e4bb2fc9f58813f635b24

SHA1
88dd4f87a90518bb4821259bc44d8220cbbb37a6

SHA256
5395e88bf7bf888619ce7baa3f7abce90e00e89d6f4c58aa1d6a3de7a2dcb673

SHA512
a1809a1646a866d9a7b8ba769d43ec65185f0a54027d07ffdbe7aad49eb2ef66ba9cc194f5f9170cfa03e35f60fd6b680c4cd9f69db87d98153f6dc6e3948b66

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d16fdc6af34e4bb2fc9f58813f635b24

SHA1
88dd4f87a90518bb4821259bc44d8220cbbb37a6

SHA256
5395e88bf7bf888619ce7baa3f7abce90e00e89d6f4c58aa1d6a3de7a2dcb673

SHA512
a1809a1646a866d9a7b8ba769d43ec65185f0a54027d07ffdbe7aad49eb2ef66ba9cc194f5f9170cfa03e35f60fd6b680c4cd9f69db87d98153f6dc6e3948b66

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
72KB

MD5
7983c977b62ec7332b5d6e39d503e75a

SHA1
d06d5c3a0640d7465ed276e9eb4a199fba0bfc02

SHA256
722d0bde5684e44a62a2fb900722986a371d3e24e1e380f2f642e2919146028f

SHA512
170fd874595218ab7326bdad17880a1027ff40d45bb224ab2867d768ebb2a86e861e7b435e29588f56975c5c89c7b6bfc2a76cae1b7a548cfcc5d44a1c6f1ec7

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
1bddfcbd4489c57e87387489dd7bbdbc

SHA1
0822e24b12b069b91d3712a621f56fa8dc6646eb

SHA256
0819b671c95e9579185ba6b1d68a5c9ff1d7bba1e93bc9e032684b81d1e15b02

SHA512
734b25a9f7cf6eb28da1202bec83d7fcfe1e1203ec7c12a308f5e14d7cab4388c7a3369a9dcfcefec43511ca1cddb2685c73d0e223c37fb0d5f7613839ff7cb4

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
ee6889e3bddc58ba0bb870b0c9725d36

SHA1
adb2ac78bfcbef5a87e2377255186d318cd14ee4

SHA256
6d94b77ba821021992377bad991200040c9170a87b12d0810c3182e2e00ee6a9

SHA512
62bae3528b6a65ff3a434a620d4a0deb89c48c61e5d7800efd4f81f5a77fb3108ff6a26ace984c6747b0ae1e8c740cf5dbde4fc0d9d3a7e8c62d035a8572f7f5

Download Submit
\Users\Admin\AppData\Local\Temp\1016099050\backup.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\1016099050\backup.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
ffdab4e6e94f179d26b2d186f2ad1c4d

SHA1
a1d598d9b4aafd9c50efeb9c69ffbee42fea1dd9

SHA256
648728ca64acf4b4283c7545aea7678f75e5127955b7ae2ff24305e3cd3221a0

SHA512
6ee0de488f8606a7d92246a1e573719b2bfc230b0061d6a0f03551d35369d5fbc8cbd45e7d49af4bb92034dfc111028f45e8df4d9af78dff57a289a00a3415a6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d24d84a923c7f55e46cfd2bc888529bc

SHA1
8c2e8279448b89bdde6f467edfebcc701757395d

SHA256
e0e793edd3d89e0d5332a308202f182353df0f31d0931eecd8effe99702f3ef7

SHA512
ac46a82d4c84af914c693bc6de74b1476f7d991bde8778a342f1c285a3327aef9c8dca9fea74dfd9a79beadbe9897129ec8c7648f840917ddf232f299e4322d7

Download Submit
memory/1092-66-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-125-0x0000000073C91000-0x0000000073C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads