9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18

Analysis

max time kernel
156s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
Size

72KB
MD5

062ef848868156c5b0f894e550d8eb27
SHA1

9a891ea90be677a077b4814c39c84c2cb84de581
SHA256

9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18
SHA512

b04947f911e8bd13dabdc7f11dfd9201447b6039d7b05d20aa3c1db8924e6e2b35b89dda36a31d2c949e7dd69a77f6837bf4806bfd5a48cd748e1417a69888a8
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2D:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPX

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
908	backup.exe
1688	backup.exe
1928	System Restore.exe
1132	backup.exe
1080	backup.exe
1800	backup.exe
1784	backup.exe
1856	backup.exe
1048	backup.exe
1616	backup.exe
1980	backup.exe
1972	backup.exe
1436	backup.exe
1076	backup.exe
1536	backup.exe
1292	backup.exe
364	backup.exe
1140	backup.exe
1580	backup.exe
1528	backup.exe
1376	backup.exe
1688	backup.exe
836	update.exe
1112	backup.exe
1796	backup.exe
1756	backup.exe
1764	backup.exe
1644	backup.exe
568	backup.exe
1604	System Restore.exe
1212	backup.exe
1524	backup.exe
1048	backup.exe
1616	backup.exe
1996	backup.exe
320	backup.exe
1908	backup.exe
1608	backup.exe
1468	backup.exe
712	backup.exe
656	backup.exe
672	update.exe
1016	backup.exe
952	backup.exe
1744	backup.exe
1140	backup.exe
1940	backup.exe
940	backup.exe
1448	backup.exe
1204	backup.exe
1332	backup.exe
1364	backup.exe
1112	backup.exe
1796	backup.exe
1184	backup.exe
1756	backup.exe
1724	backup.exe
1572	backup.exe
1408	backup.exe
1052	backup.exe
1784	backup.exe
1976	backup.exe
1472	backup.exe
1924	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1080	backup.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1080	backup.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1784	backup.exe
1784	backup.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
1080	backup.exe
1080	backup.exe
1980	backup.exe
1980	backup.exe
1972	backup.exe
1972	backup.exe
1980	backup.exe
1980	backup.exe
1076	backup.exe
1076	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
836	update.exe
836	update.exe
836	update.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
364	backup.exe
568	backup.exe
568	backup.exe
568	backup.exe
568	backup.exe
568	backup.exe
568	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
908	backup.exe
1688	backup.exe
1928	System Restore.exe
1132	backup.exe
1080	backup.exe
1800	backup.exe
1784	backup.exe
1856	backup.exe
1048	backup.exe
1616	backup.exe
1980	backup.exe
1972	backup.exe
1436	backup.exe
1076	backup.exe
1536	backup.exe
1292	backup.exe
364	backup.exe
1140	backup.exe
1580	backup.exe
1528	backup.exe
1376	backup.exe
1688	backup.exe
836	update.exe
1112	backup.exe
1796	backup.exe
1756	backup.exe
1764	backup.exe
1644	backup.exe
568	backup.exe
1604	System Restore.exe
1212	backup.exe
1524	backup.exe
1048	backup.exe
1616	backup.exe
1996	backup.exe
320	backup.exe
1908	backup.exe
1608	backup.exe
1468	backup.exe
712	backup.exe
656	backup.exe
672	update.exe
1016	backup.exe
952	backup.exe
1744	backup.exe
1140	backup.exe
1940	backup.exe
940	backup.exe
1448	backup.exe
1204	backup.exe
1332	backup.exe
1364	backup.exe
1112	backup.exe
1796	backup.exe
1184	backup.exe
1756	backup.exe
1724	backup.exe
1572	backup.exe
1408	backup.exe
1052	backup.exe
1784	backup.exe
1976	backup.exe
1472	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 908	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	26
PID 1948 wrote to memory of 908	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	26
PID 1948 wrote to memory of 908	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	26
PID 1948 wrote to memory of 908	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	26
PID 1948 wrote to memory of 1688	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	27
PID 1948 wrote to memory of 1688	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	27
PID 1948 wrote to memory of 1688	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	27
PID 1948 wrote to memory of 1688	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	27
PID 1948 wrote to memory of 1928	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	28
PID 1948 wrote to memory of 1928	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	28
PID 1948 wrote to memory of 1928	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	28
PID 1948 wrote to memory of 1928	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	28
PID 1948 wrote to memory of 1132	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	29
PID 1948 wrote to memory of 1132	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	29
PID 1948 wrote to memory of 1132	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	29
PID 1948 wrote to memory of 1132	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	29
PID 908 wrote to memory of 1080	908	backup.exe	30
PID 908 wrote to memory of 1080	908	backup.exe	30
PID 908 wrote to memory of 1080	908	backup.exe	30
PID 908 wrote to memory of 1080	908	backup.exe	30
PID 1948 wrote to memory of 1800	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	32
PID 1948 wrote to memory of 1800	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	32
PID 1948 wrote to memory of 1800	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	32
PID 1948 wrote to memory of 1800	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	32
PID 1080 wrote to memory of 1784	1080	backup.exe	31
PID 1080 wrote to memory of 1784	1080	backup.exe	31
PID 1080 wrote to memory of 1784	1080	backup.exe	31
PID 1080 wrote to memory of 1784	1080	backup.exe	31
PID 1948 wrote to memory of 1856	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	33
PID 1948 wrote to memory of 1856	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	33
PID 1948 wrote to memory of 1856	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	33
PID 1948 wrote to memory of 1856	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	33
PID 1784 wrote to memory of 1048	1784	backup.exe	34
PID 1784 wrote to memory of 1048	1784	backup.exe	34
PID 1784 wrote to memory of 1048	1784	backup.exe	34
PID 1784 wrote to memory of 1048	1784	backup.exe	34
PID 1948 wrote to memory of 1616	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	35
PID 1948 wrote to memory of 1616	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	35
PID 1948 wrote to memory of 1616	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	35
PID 1948 wrote to memory of 1616	1948	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe	35
PID 1080 wrote to memory of 1980	1080	backup.exe	36
PID 1080 wrote to memory of 1980	1080	backup.exe	36
PID 1080 wrote to memory of 1980	1080	backup.exe	36
PID 1080 wrote to memory of 1980	1080	backup.exe	36
PID 1980 wrote to memory of 1972	1980	backup.exe	37
PID 1980 wrote to memory of 1972	1980	backup.exe	37
PID 1980 wrote to memory of 1972	1980	backup.exe	37
PID 1980 wrote to memory of 1972	1980	backup.exe	37
PID 1972 wrote to memory of 1436	1972	backup.exe	38
PID 1972 wrote to memory of 1436	1972	backup.exe	38
PID 1972 wrote to memory of 1436	1972	backup.exe	38
PID 1972 wrote to memory of 1436	1972	backup.exe	38
PID 1980 wrote to memory of 1076	1980	backup.exe	39
PID 1980 wrote to memory of 1076	1980	backup.exe	39
PID 1980 wrote to memory of 1076	1980	backup.exe	39
PID 1980 wrote to memory of 1076	1980	backup.exe	39
PID 1076 wrote to memory of 1536	1076	backup.exe	40
PID 1076 wrote to memory of 1536	1076	backup.exe	40
PID 1076 wrote to memory of 1536	1076	backup.exe	40
PID 1076 wrote to memory of 1536	1076	backup.exe	40
PID 1536 wrote to memory of 1292	1536	backup.exe	41
PID 1536 wrote to memory of 1292	1536	backup.exe	41
PID 1536 wrote to memory of 1292	1536	backup.exe	41
PID 1536 wrote to memory of 1292	1536	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe
"C:\Users\Admin\AppData\Local\Temp\9dfbe6940d3882c127bf19208aa63e1aaa8fc94ef10540f3405c0d435fcc8e18.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948
- C:\Users\Admin\AppData\Local\Temp\1236281487\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1236281487\backup.exe C:\Users\Admin\AppData\Local\Temp\1236281487\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:908
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1048
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1076
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        System policy modification
        
        PID:1288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1436
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1400
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1288
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1776
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:820
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1208
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1588
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\Common Files\System\ado\en-US\update.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\update.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2016
        
        C:\Program Files\Common Files\System\ado\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\update.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1552
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2004
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1936
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1400
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:952
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1728
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1052
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1552
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1604
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        
        PID:360
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2380
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        
        PID:1924
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1652
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1936
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1120
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1736
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2020
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:712
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:944
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1504
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1400
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1192
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1448
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1120
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2396
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1584
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1176
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1476
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:688
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:860
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1436
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1280
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1648
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1800
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:592
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2136
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1232
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:788
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1936
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:984
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1616
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1664
    - - C:\Program Files\Mozilla Firefox\data.exe
        
        "C:\Program Files\Mozilla Firefox\data.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1960
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2088
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2172
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1016
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        System policy modification
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        System policy modification
        
        PID:1436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        System policy modification
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        System policy modification
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        System policy modification
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1736
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:672
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:1184
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:956
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1712
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1176
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1760
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2056
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2152
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:1996
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1088
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:560
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2080
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1696
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:828
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2096
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2188
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      System policy modification
      PID:1072
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:1780
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1784
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1608
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1212
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1292
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1688
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1964
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1952
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1484
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2144
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2388
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
      - C:\Users\Public\Documents\data.exe
        
        C:\Users\Public\Documents\data.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2220
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1416
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
331470cbcea4011f0fe3bb59fac8d67a

SHA1
a6c4bb3d1c027e9bff8b8b34d9af0529eb285369

SHA256
ae88fdd2e7ac1ed93f27edf526f8f0814a8837b8a76623a506a45c9205bfc6a7

SHA512
149f4bb609ca850528dc7f5ecd935a0bef879c7fe1eadb498000e0f1b5ce9edcebbadb876c22c49b8aada86b231078eb65d021257b9dec23b7158072a4fa4885

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
994b51c1e72af52c949617676192133d

SHA1
59b8a83a01b07bffe44e0886ebe98b647ed64980

SHA256
5314171ab8b185d1b0a76339a739ad2cf50c1ef84ab8a4502c4be72678199d94

SHA512
9bf4cf77d1228b0ca1c3e153595eddd89fbf834e76a1c770eced383b76cc0c8e55d9a7ac74ea2b0da3fb1f8e0af52f2cb2ba0f20a53d41ceeb65c4b1efd67038

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
994b51c1e72af52c949617676192133d

SHA1
59b8a83a01b07bffe44e0886ebe98b647ed64980

SHA256
5314171ab8b185d1b0a76339a739ad2cf50c1ef84ab8a4502c4be72678199d94

SHA512
9bf4cf77d1228b0ca1c3e153595eddd89fbf834e76a1c770eced383b76cc0c8e55d9a7ac74ea2b0da3fb1f8e0af52f2cb2ba0f20a53d41ceeb65c4b1efd67038

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fdb98113fc6071db73a32e6fa4c24343

SHA1
d0f7ae1f6471342dbe5d1cab6e6de2478c4362c2

SHA256
2ebd2f9d26aa8b72d48c109d45f42ff95fe1778af78f46f8914561f53e0e7f6f

SHA512
c9b61140b72153ee46069113551d9cd9b84adf8a1e3f7a06ea268909f1af995cfdb8d8056dbd9c905aa900704e37e67ccce5cbd6dfff7b3e5fbd0c71544b12f8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d84ad62db90d4c5e0bf28dcb54b1b34e

SHA1
0ac81635a6df305f61c93d9194f6bfa9386deab2

SHA256
6a2976b6a267b59ba11486858fb9c3d9be2fc5fc5226094bfa6af3daa5bec815

SHA512
a4f0c7c967f3d8e8a5f69a3aa21eaa5f755911331a4a43d915323d12afb3824b97fd281dbb224e65901a9fab3126dd7a2b9d522663de5998cf97f3b5c4b17ff8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d84ad62db90d4c5e0bf28dcb54b1b34e

SHA1
0ac81635a6df305f61c93d9194f6bfa9386deab2

SHA256
6a2976b6a267b59ba11486858fb9c3d9be2fc5fc5226094bfa6af3daa5bec815

SHA512
a4f0c7c967f3d8e8a5f69a3aa21eaa5f755911331a4a43d915323d12afb3824b97fd281dbb224e65901a9fab3126dd7a2b9d522663de5998cf97f3b5c4b17ff8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ba7951053a82cb0bbb0944ca6908f285

SHA1
21b16232f93cc65901ef92261086264226325d60

SHA256
fddae606e3a991bd91ed80bed732da82200b5014fd17fb8aa4b7b9c6af74ad30

SHA512
8a2a1e83ae450c00e7e27161d08d71288a4ee2044cc3f33414d5738249e0acd7d066c1677f21781ecc0035eb6bcca9fd81f8df51a30a2af5367d62cb0fd97300

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ba7951053a82cb0bbb0944ca6908f285

SHA1
21b16232f93cc65901ef92261086264226325d60

SHA256
fddae606e3a991bd91ed80bed732da82200b5014fd17fb8aa4b7b9c6af74ad30

SHA512
8a2a1e83ae450c00e7e27161d08d71288a4ee2044cc3f33414d5738249e0acd7d066c1677f21781ecc0035eb6bcca9fd81f8df51a30a2af5367d62cb0fd97300

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f718db4b7eb857691456b6c6b005aa4e

SHA1
fbb93bfb11d93c6ce0d116c24302f73be35a33e7

SHA256
6312a71d86647e86c26ec7cfa921c9ae3d7f4b0e28bfd7e0cfb474c2bffa74ca

SHA512
765044827642fbd40cdaa6550eb3b8f0bb28e9e637f496aef0112c8fe8c89c27cd6b9a61292807da652bffb87ac7771d927266341c868096d967f5ecf7ac7765

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d14053242f63f7a9541ddc70f1b2f4e5

SHA1
b392833c2df11dd0d9f43c754a6b00755283fc6b

SHA256
54575269a910e7853e1acd144ec9eb95d2892f5c7fd2688c1f19e9b4921000a6

SHA512
ba4b83b30f68c58ffdfc0bc3adfed5f2887094e6c9acb922ef2e5bb6aeb5c6a09107051208ec1792abe553acc02e56e495c2663cb86b38baccdc15f1b8e324aa

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
07701fcc838481b9767a9ab4e9817d32

SHA1
4cc993cce102bacbd6b37965520e86e7f911d307

SHA256
304dcab545c97b45a97f96ee9589ce63c2d246cb767365d7b57c730146dc168a

SHA512
330fbb2046231f34ea59dc5907f022019fbf05fcf5e0caf453075a006216324119c226872f4cb45c0c5149fc6390531d17af098d36d02e02713efa5d659a1b15

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
07701fcc838481b9767a9ab4e9817d32

SHA1
4cc993cce102bacbd6b37965520e86e7f911d307

SHA256
304dcab545c97b45a97f96ee9589ce63c2d246cb767365d7b57c730146dc168a

SHA512
330fbb2046231f34ea59dc5907f022019fbf05fcf5e0caf453075a006216324119c226872f4cb45c0c5149fc6390531d17af098d36d02e02713efa5d659a1b15

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
739e007ae145e12351e9c54fad382b9f

SHA1
7e2d5b6bf847763d0a2646f5d940c959165f39aa

SHA256
5da90b647f7e82e9f72cfe24b607cd9c388eab199e043ab0c6e051c54460fbf0

SHA512
fdd66ae4e4ea5afb650e8b3f5df3bc1c6daf864e8ea9dd406cc3fb30cdb2974a7c1f27314de996528c9051ab98fdc89aee3a18fdb32ce455edfc0a914efc334f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
739e007ae145e12351e9c54fad382b9f

SHA1
7e2d5b6bf847763d0a2646f5d940c959165f39aa

SHA256
5da90b647f7e82e9f72cfe24b607cd9c388eab199e043ab0c6e051c54460fbf0

SHA512
fdd66ae4e4ea5afb650e8b3f5df3bc1c6daf864e8ea9dd406cc3fb30cdb2974a7c1f27314de996528c9051ab98fdc89aee3a18fdb32ce455edfc0a914efc334f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1236281487\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
C:\Users\Admin\AppData\Local\Temp\1236281487\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
303e3d9eda552aa98fd8219143654876

SHA1
df3c21f74f1d13b20762cf5c566234d173cc0872

SHA256
ea0bc0e4e92c5d1f7be93a6f298cd8667a681ebe5e37604693a5e65dd6d622f0

SHA512
94509f828eafd5df17d8354c88f5acb72477639ec285891d2399bd09e0c3dd7d873a7bb6304001d8ffef86e00423772b36d5363eb6973f54dc5caecbd2bc04db

Download Submit
C:\backup.exe

Filesize
72KB

MD5
303e3d9eda552aa98fd8219143654876

SHA1
df3c21f74f1d13b20762cf5c566234d173cc0872

SHA256
ea0bc0e4e92c5d1f7be93a6f298cd8667a681ebe5e37604693a5e65dd6d622f0

SHA512
94509f828eafd5df17d8354c88f5acb72477639ec285891d2399bd09e0c3dd7d873a7bb6304001d8ffef86e00423772b36d5363eb6973f54dc5caecbd2bc04db

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
331470cbcea4011f0fe3bb59fac8d67a

SHA1
a6c4bb3d1c027e9bff8b8b34d9af0529eb285369

SHA256
ae88fdd2e7ac1ed93f27edf526f8f0814a8837b8a76623a506a45c9205bfc6a7

SHA512
149f4bb609ca850528dc7f5ecd935a0bef879c7fe1eadb498000e0f1b5ce9edcebbadb876c22c49b8aada86b231078eb65d021257b9dec23b7158072a4fa4885

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
331470cbcea4011f0fe3bb59fac8d67a

SHA1
a6c4bb3d1c027e9bff8b8b34d9af0529eb285369

SHA256
ae88fdd2e7ac1ed93f27edf526f8f0814a8837b8a76623a506a45c9205bfc6a7

SHA512
149f4bb609ca850528dc7f5ecd935a0bef879c7fe1eadb498000e0f1b5ce9edcebbadb876c22c49b8aada86b231078eb65d021257b9dec23b7158072a4fa4885

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
994b51c1e72af52c949617676192133d

SHA1
59b8a83a01b07bffe44e0886ebe98b647ed64980

SHA256
5314171ab8b185d1b0a76339a739ad2cf50c1ef84ab8a4502c4be72678199d94

SHA512
9bf4cf77d1228b0ca1c3e153595eddd89fbf834e76a1c770eced383b76cc0c8e55d9a7ac74ea2b0da3fb1f8e0af52f2cb2ba0f20a53d41ceeb65c4b1efd67038

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
994b51c1e72af52c949617676192133d

SHA1
59b8a83a01b07bffe44e0886ebe98b647ed64980

SHA256
5314171ab8b185d1b0a76339a739ad2cf50c1ef84ab8a4502c4be72678199d94

SHA512
9bf4cf77d1228b0ca1c3e153595eddd89fbf834e76a1c770eced383b76cc0c8e55d9a7ac74ea2b0da3fb1f8e0af52f2cb2ba0f20a53d41ceeb65c4b1efd67038

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fdb98113fc6071db73a32e6fa4c24343

SHA1
d0f7ae1f6471342dbe5d1cab6e6de2478c4362c2

SHA256
2ebd2f9d26aa8b72d48c109d45f42ff95fe1778af78f46f8914561f53e0e7f6f

SHA512
c9b61140b72153ee46069113551d9cd9b84adf8a1e3f7a06ea268909f1af995cfdb8d8056dbd9c905aa900704e37e67ccce5cbd6dfff7b3e5fbd0c71544b12f8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
fdb98113fc6071db73a32e6fa4c24343

SHA1
d0f7ae1f6471342dbe5d1cab6e6de2478c4362c2

SHA256
2ebd2f9d26aa8b72d48c109d45f42ff95fe1778af78f46f8914561f53e0e7f6f

SHA512
c9b61140b72153ee46069113551d9cd9b84adf8a1e3f7a06ea268909f1af995cfdb8d8056dbd9c905aa900704e37e67ccce5cbd6dfff7b3e5fbd0c71544b12f8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d84ad62db90d4c5e0bf28dcb54b1b34e

SHA1
0ac81635a6df305f61c93d9194f6bfa9386deab2

SHA256
6a2976b6a267b59ba11486858fb9c3d9be2fc5fc5226094bfa6af3daa5bec815

SHA512
a4f0c7c967f3d8e8a5f69a3aa21eaa5f755911331a4a43d915323d12afb3824b97fd281dbb224e65901a9fab3126dd7a2b9d522663de5998cf97f3b5c4b17ff8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d84ad62db90d4c5e0bf28dcb54b1b34e

SHA1
0ac81635a6df305f61c93d9194f6bfa9386deab2

SHA256
6a2976b6a267b59ba11486858fb9c3d9be2fc5fc5226094bfa6af3daa5bec815

SHA512
a4f0c7c967f3d8e8a5f69a3aa21eaa5f755911331a4a43d915323d12afb3824b97fd281dbb224e65901a9fab3126dd7a2b9d522663de5998cf97f3b5c4b17ff8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ba7951053a82cb0bbb0944ca6908f285

SHA1
21b16232f93cc65901ef92261086264226325d60

SHA256
fddae606e3a991bd91ed80bed732da82200b5014fd17fb8aa4b7b9c6af74ad30

SHA512
8a2a1e83ae450c00e7e27161d08d71288a4ee2044cc3f33414d5738249e0acd7d066c1677f21781ecc0035eb6bcca9fd81f8df51a30a2af5367d62cb0fd97300

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
ba7951053a82cb0bbb0944ca6908f285

SHA1
21b16232f93cc65901ef92261086264226325d60

SHA256
fddae606e3a991bd91ed80bed732da82200b5014fd17fb8aa4b7b9c6af74ad30

SHA512
8a2a1e83ae450c00e7e27161d08d71288a4ee2044cc3f33414d5738249e0acd7d066c1677f21781ecc0035eb6bcca9fd81f8df51a30a2af5367d62cb0fd97300

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f718db4b7eb857691456b6c6b005aa4e

SHA1
fbb93bfb11d93c6ce0d116c24302f73be35a33e7

SHA256
6312a71d86647e86c26ec7cfa921c9ae3d7f4b0e28bfd7e0cfb474c2bffa74ca

SHA512
765044827642fbd40cdaa6550eb3b8f0bb28e9e637f496aef0112c8fe8c89c27cd6b9a61292807da652bffb87ac7771d927266341c868096d967f5ecf7ac7765

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f718db4b7eb857691456b6c6b005aa4e

SHA1
fbb93bfb11d93c6ce0d116c24302f73be35a33e7

SHA256
6312a71d86647e86c26ec7cfa921c9ae3d7f4b0e28bfd7e0cfb474c2bffa74ca

SHA512
765044827642fbd40cdaa6550eb3b8f0bb28e9e637f496aef0112c8fe8c89c27cd6b9a61292807da652bffb87ac7771d927266341c868096d967f5ecf7ac7765

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6ad8b954220e885ea5dec42831de3174

SHA1
2b740a0ecdd984db5e0c704aff666986bd41c310

SHA256
d9ac7f9f5d79354a454e80991695630749a14911a3aa861c2e122713b23f0c80

SHA512
2f5ef9cdbeb09ed8c0ab5d57c40259f80d062603a40bb7f683f6dc75d5995e1962b3b214bee15e8e741ca406542e3a8029fb01c6b1d496987b6037fea42e7274

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d14053242f63f7a9541ddc70f1b2f4e5

SHA1
b392833c2df11dd0d9f43c754a6b00755283fc6b

SHA256
54575269a910e7853e1acd144ec9eb95d2892f5c7fd2688c1f19e9b4921000a6

SHA512
ba4b83b30f68c58ffdfc0bc3adfed5f2887094e6c9acb922ef2e5bb6aeb5c6a09107051208ec1792abe553acc02e56e495c2663cb86b38baccdc15f1b8e324aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d14053242f63f7a9541ddc70f1b2f4e5

SHA1
b392833c2df11dd0d9f43c754a6b00755283fc6b

SHA256
54575269a910e7853e1acd144ec9eb95d2892f5c7fd2688c1f19e9b4921000a6

SHA512
ba4b83b30f68c58ffdfc0bc3adfed5f2887094e6c9acb922ef2e5bb6aeb5c6a09107051208ec1792abe553acc02e56e495c2663cb86b38baccdc15f1b8e324aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
d14053242f63f7a9541ddc70f1b2f4e5

SHA1
b392833c2df11dd0d9f43c754a6b00755283fc6b

SHA256
54575269a910e7853e1acd144ec9eb95d2892f5c7fd2688c1f19e9b4921000a6

SHA512
ba4b83b30f68c58ffdfc0bc3adfed5f2887094e6c9acb922ef2e5bb6aeb5c6a09107051208ec1792abe553acc02e56e495c2663cb86b38baccdc15f1b8e324aa

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
07701fcc838481b9767a9ab4e9817d32

SHA1
4cc993cce102bacbd6b37965520e86e7f911d307

SHA256
304dcab545c97b45a97f96ee9589ce63c2d246cb767365d7b57c730146dc168a

SHA512
330fbb2046231f34ea59dc5907f022019fbf05fcf5e0caf453075a006216324119c226872f4cb45c0c5149fc6390531d17af098d36d02e02713efa5d659a1b15

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
07701fcc838481b9767a9ab4e9817d32

SHA1
4cc993cce102bacbd6b37965520e86e7f911d307

SHA256
304dcab545c97b45a97f96ee9589ce63c2d246cb767365d7b57c730146dc168a

SHA512
330fbb2046231f34ea59dc5907f022019fbf05fcf5e0caf453075a006216324119c226872f4cb45c0c5149fc6390531d17af098d36d02e02713efa5d659a1b15

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
739e007ae145e12351e9c54fad382b9f

SHA1
7e2d5b6bf847763d0a2646f5d940c959165f39aa

SHA256
5da90b647f7e82e9f72cfe24b607cd9c388eab199e043ab0c6e051c54460fbf0

SHA512
fdd66ae4e4ea5afb650e8b3f5df3bc1c6daf864e8ea9dd406cc3fb30cdb2974a7c1f27314de996528c9051ab98fdc89aee3a18fdb32ce455edfc0a914efc334f

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
739e007ae145e12351e9c54fad382b9f

SHA1
7e2d5b6bf847763d0a2646f5d940c959165f39aa

SHA256
5da90b647f7e82e9f72cfe24b607cd9c388eab199e043ab0c6e051c54460fbf0

SHA512
fdd66ae4e4ea5afb650e8b3f5df3bc1c6daf864e8ea9dd406cc3fb30cdb2974a7c1f27314de996528c9051ab98fdc89aee3a18fdb32ce455edfc0a914efc334f

Download Submit
\Users\Admin\AppData\Local\Temp\1236281487\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
\Users\Admin\AppData\Local\Temp\1236281487\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
77183ad8714e589b1eb433c833c0315d

SHA1
9b9679d7f2fd2d80ef22cce39e24f47a0ba794d6

SHA256
ccf9d9e7d5f582f0998fa191f2466926eb6425815c9e0bf512b7fb740008318f

SHA512
6bfe0426df715a73e7002c0ad8d299ad36714f993d3baa7679cb67ef46295127cbed8b924d763148506a46225f388219818350774737c837654607d86d427f0d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d32ec50aaf70bed97928f8d81bffe908

SHA1
dbfaf85a549155d4dba47997b2b81929c41c0a8d

SHA256
c288135d233409a927d2406407041dcfeb350b3e8e55ab9eee3924290423abe5

SHA512
c19f91d1bcee86226edcb3c64e97e3f03f3bdb256f662479692ca940af9ecf18644279b75cd3e1c267b95efbb2a9847f68ec2178cff649525b900fb205afa210

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6affe87609b555d8c858f4b087998538

SHA1
7edb53f3ec790f6cfcc10e2228e7699a0581fca3

SHA256
5af180449d82fc8758833bbfecb86172c83c49a0275c412dd84694882e1a074a

SHA512
4c97382af390da74fe26d720bca7bf0701bd50e3caaf5f5fa628dda77afcc9f908823ceabe71d73f2b65ad0ad7eabda4ae58c66f35af3be8d229673be8a0565c

Download Submit
memory/1948-131-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads