1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb

Analysis

max time kernel
219s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
Size

72KB
MD5

04bd0d8a36c07bc21d0109929cab14f9
SHA1

c34c00da54d8efda259d20b1c30576262ddebfee
SHA256

1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb
SHA512

de1aa4f29453b1e8c94fb467b2f54865279461549dbf910a85016a63049a2ae2d0a07154a9fad7d941923a80f05367c1c25b658e5ff5d340053d9b726f79e820
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf22:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPi

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
484	System Restore.exe
580	backup.exe
1928	backup.exe
1828	backup.exe
888	backup.exe
928	backup.exe
1876	backup.exe
1872	backup.exe
856	System Restore.exe
1128	backup.exe
2020	backup.exe
1168	backup.exe
2024	backup.exe
1644	backup.exe
796	backup.exe
1372	backup.exe
1712	backup.exe
524	backup.exe
320	backup.exe
628	System Restore.exe
1508	data.exe
1056	backup.exe
1828	backup.exe
1476	System Restore.exe
532	backup.exe
940	backup.exe
1008	backup.exe
396	backup.exe
1160	backup.exe
1556	backup.exe
1844	backup.exe
1592	data.exe
324	backup.exe
1752	backup.exe
1560	backup.exe
956	System Restore.exe
1736	update.exe
1524	backup.exe
1600	backup.exe
1860	update.exe
1412	data.exe
1000	backup.exe
1372	backup.exe
584	update.exe
1504	backup.exe
1180	backup.exe
680	backup.exe
1652	backup.exe
1716	backup.exe
1576	backup.exe
752	backup.exe
1192	backup.exe
1784	backup.exe
1768	backup.exe
1876	backup.exe
1972	backup.exe
1548	backup.exe
604	backup.exe
292	backup.exe
864	backup.exe
2012	backup.exe
1752	backup.exe
1156	backup.exe
1560	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
1872	backup.exe
1872	backup.exe
1872	backup.exe
1872	backup.exe
856	System Restore.exe
856	System Restore.exe
1128	backup.exe
1128	backup.exe
1168	backup.exe
1168	backup.exe
1128	backup.exe
1128	backup.exe
1644	backup.exe
1644	backup.exe
796	backup.exe
796	backup.exe
796	backup.exe
796	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe
1160	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ja-JP\data.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
484	System Restore.exe
580	backup.exe
1928	backup.exe
1828	backup.exe
888	backup.exe
928	backup.exe
1876	backup.exe
1872	backup.exe
856	System Restore.exe
1128	backup.exe
2020	backup.exe
1168	backup.exe
2024	backup.exe
1644	backup.exe
796	backup.exe
1372	backup.exe
1712	backup.exe
524	backup.exe
320	backup.exe
628	System Restore.exe
1508	data.exe
1056	backup.exe
1828	backup.exe
1476	System Restore.exe
532	backup.exe
940	backup.exe
1008	backup.exe
396	backup.exe
1160	backup.exe
1556	backup.exe
1844	backup.exe
1592	data.exe
324	backup.exe
1752	backup.exe
1560	backup.exe
956	System Restore.exe
1736	update.exe
1524	backup.exe
1600	backup.exe
1860	update.exe
1412	data.exe
1000	backup.exe
1372	backup.exe
584	update.exe
1504	backup.exe
1180	backup.exe
680	backup.exe
1652	backup.exe
1716	backup.exe
1576	backup.exe
752	backup.exe
1192	backup.exe
1784	backup.exe
1768	backup.exe
1876	backup.exe
1972	backup.exe
1548	backup.exe
604	backup.exe
864	backup.exe
292	backup.exe
1156	backup.exe
436	backup.exe
2012	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 484	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	28
PID 1312 wrote to memory of 484	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	28
PID 1312 wrote to memory of 484	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	28
PID 1312 wrote to memory of 484	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	28
PID 1312 wrote to memory of 580	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	29
PID 1312 wrote to memory of 580	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	29
PID 1312 wrote to memory of 580	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	29
PID 1312 wrote to memory of 580	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	29
PID 1312 wrote to memory of 1928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	30
PID 1312 wrote to memory of 1928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	30
PID 1312 wrote to memory of 1928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	30
PID 1312 wrote to memory of 1928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	30
PID 1312 wrote to memory of 1828	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	31
PID 1312 wrote to memory of 1828	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	31
PID 1312 wrote to memory of 1828	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	31
PID 1312 wrote to memory of 1828	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	31
PID 1312 wrote to memory of 888	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	32
PID 1312 wrote to memory of 888	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	32
PID 1312 wrote to memory of 888	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	32
PID 1312 wrote to memory of 888	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	32
PID 1312 wrote to memory of 928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	33
PID 1312 wrote to memory of 928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	33
PID 1312 wrote to memory of 928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	33
PID 1312 wrote to memory of 928	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	33
PID 1312 wrote to memory of 1876	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	34
PID 1312 wrote to memory of 1876	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	34
PID 1312 wrote to memory of 1876	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	34
PID 1312 wrote to memory of 1876	1312	1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe	34
PID 484 wrote to memory of 1872	484	System Restore.exe	35
PID 484 wrote to memory of 1872	484	System Restore.exe	35
PID 484 wrote to memory of 1872	484	System Restore.exe	35
PID 484 wrote to memory of 1872	484	System Restore.exe	35
PID 1872 wrote to memory of 856	1872	backup.exe	36
PID 1872 wrote to memory of 856	1872	backup.exe	36
PID 1872 wrote to memory of 856	1872	backup.exe	36
PID 1872 wrote to memory of 856	1872	backup.exe	36
PID 1872 wrote to memory of 1128	1872	backup.exe	37
PID 1872 wrote to memory of 1128	1872	backup.exe	37
PID 1872 wrote to memory of 1128	1872	backup.exe	37
PID 1872 wrote to memory of 1128	1872	backup.exe	37
PID 856 wrote to memory of 2020	856	System Restore.exe	38
PID 856 wrote to memory of 2020	856	System Restore.exe	38
PID 856 wrote to memory of 2020	856	System Restore.exe	38
PID 856 wrote to memory of 2020	856	System Restore.exe	38
PID 1128 wrote to memory of 1168	1128	backup.exe	39
PID 1128 wrote to memory of 1168	1128	backup.exe	39
PID 1128 wrote to memory of 1168	1128	backup.exe	39
PID 1128 wrote to memory of 1168	1128	backup.exe	39
PID 1168 wrote to memory of 2024	1168	backup.exe	40
PID 1168 wrote to memory of 2024	1168	backup.exe	40
PID 1168 wrote to memory of 2024	1168	backup.exe	40
PID 1168 wrote to memory of 2024	1168	backup.exe	40
PID 1128 wrote to memory of 1644	1128	backup.exe	41
PID 1128 wrote to memory of 1644	1128	backup.exe	41
PID 1128 wrote to memory of 1644	1128	backup.exe	41
PID 1128 wrote to memory of 1644	1128	backup.exe	41
PID 1644 wrote to memory of 796	1644	backup.exe	42
PID 1644 wrote to memory of 796	1644	backup.exe	42
PID 1644 wrote to memory of 796	1644	backup.exe	42
PID 1644 wrote to memory of 796	1644	backup.exe	42
PID 796 wrote to memory of 1372	796	backup.exe	43
PID 796 wrote to memory of 1372	796	backup.exe	43
PID 796 wrote to memory of 1372	796	backup.exe	43
PID 796 wrote to memory of 1372	796	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe
"C:\Users\Admin\AppData\Local\Temp\1a34f4c671c2ff2acc255769f13ec19bdeba6e913441fd5c378a7dc51ecc3dbb.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\3715432083\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\PerfLogs\System Restore.exe
      "C:\PerfLogs\System Restore.exe" C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2020
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1644
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:564
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2172
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:292
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1472
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1064
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:808
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:956
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1296
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1096
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:584
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:972
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:752
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        
        PID:820
        
        C:\Program Files\Common Files\System\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\es-ES\System Restore.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1596
        
        C:\Program Files\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:696
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1340
        
        C:\Program Files\Common Files\System\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ja-JP\data.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:864
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:864
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:436
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:620
      - C:\Program Files\DVD Maker\fr-FR\update.exe
        
        "C:\Program Files\DVD Maker\fr-FR\update.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1124
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:320
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:1828
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1560
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1340
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1644
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:1660
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1184
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1752
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:920
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1784
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1596
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1144
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1052
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1192
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2116
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1788
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1516
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1988
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:1144
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1148
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:808
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1704
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1516
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2160
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Disables RegEdit via registry modification
        
        PID:188
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:604
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1560
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1500
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1224
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1124
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:748
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1708
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        System policy modification
        
        PID:928
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1636
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1056
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:2132
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        System policy modification
        
        PID:1876
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1576
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2180
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:292
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:768
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:1160
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1000
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:608
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1988
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1728
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1272
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:1752
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1656
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:656
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1412
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1048
      - C:\Users\Admin\Desktop\System Restore.exe
        
        "C:\Users\Admin\Desktop\System Restore.exe" C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1124
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1764
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:680
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1684
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:856
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:848
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:1592
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2036
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1052
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:2012
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1828
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:580
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:2144
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1872
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:820
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:472
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:928
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
f1f8bdef8b85d94e79bcfb46133e9b9e

SHA1
ffbc8910f53bc245f7af946ff200d350cdcd4260

SHA256
59220853da995ad4263f393c6e892e88e504d663aa2b895db4c7e242f72c51b5

SHA512
357551f9cfaf67cbebacb37f5daa75b1596f9407b936dc8602b85f3533a5811b29ea85cefdb7886cd5612bf011fbe57b43051e4e08f61d0a8f2d84c19be46523

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
c7af249fd71306061ce494aa1f0d786f

SHA1
95bbae667c669500bbbf996632fbfb2ea0cd3dbd

SHA256
0fa1bcca23433de5ee00edc8c37fb652227b804a2f4859bee00da638ce558898

SHA512
1944ac8bd44283d7ea5828900cf706df13c29c5da88c2e3428d8663c0f90667711e7baf528742b027d82ff4fff9f92490924b94151a03b4081e696991ac50c14

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
c7af249fd71306061ce494aa1f0d786f

SHA1
95bbae667c669500bbbf996632fbfb2ea0cd3dbd

SHA256
0fa1bcca23433de5ee00edc8c37fb652227b804a2f4859bee00da638ce558898

SHA512
1944ac8bd44283d7ea5828900cf706df13c29c5da88c2e3428d8663c0f90667711e7baf528742b027d82ff4fff9f92490924b94151a03b4081e696991ac50c14

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
053b14988f3a46865336778d5cfe9a15

SHA1
a30ec8970cf82172297dfb48f3308e24812a6bf9

SHA256
5bd62aaa2d1caf3d5c77c0089e198ed2d445732593bb7df68adb83ebcd215f7b

SHA512
99ed36db62eea4e4e879267877aea98988cf4238bfa8226e0183fb09a8c1d8e2a7acc57916fe9aace6c3f7a32e708d3ea5ba3bd3ae456f1924bb0ba2530e48c8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7e53782f95e539064c18d4350cfc875e

SHA1
ffcc75a6d76471fc5d7ff1003fc70de598c046c1

SHA256
d2228e86b4874ff0071a8a2e18d52906bf582ab59a3bd4ef70d440b7de56dfb1

SHA512
700d36f9e1b501b44e143dfebdb4364ec6fc712dee7632c8d4aa394df182ab4e3da17c9749f1dfa2b391d858d93bb439ca3e6382b7c14f0bc65dfec73e18436a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7e53782f95e539064c18d4350cfc875e

SHA1
ffcc75a6d76471fc5d7ff1003fc70de598c046c1

SHA256
d2228e86b4874ff0071a8a2e18d52906bf582ab59a3bd4ef70d440b7de56dfb1

SHA512
700d36f9e1b501b44e143dfebdb4364ec6fc712dee7632c8d4aa394df182ab4e3da17c9749f1dfa2b391d858d93bb439ca3e6382b7c14f0bc65dfec73e18436a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1e858d49cff9fcb5624d29b3043fda88

SHA1
623b25737d908bf8aef246e9443db1acad362520

SHA256
244299a5e2c5e9ecfd1f568c1bf353b55aeec92eb3c02453250d3207b93a5d42

SHA512
a27df48b078fbdf6fe667e2a429dada70a117659556318476d8fd822dff664541fe48dd6ca97f2f026141335f3f75161f9b5cfc3617bd7d9db0c827e280a3464

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1e858d49cff9fcb5624d29b3043fda88

SHA1
623b25737d908bf8aef246e9443db1acad362520

SHA256
244299a5e2c5e9ecfd1f568c1bf353b55aeec92eb3c02453250d3207b93a5d42

SHA512
a27df48b078fbdf6fe667e2a429dada70a117659556318476d8fd822dff664541fe48dd6ca97f2f026141335f3f75161f9b5cfc3617bd7d9db0c827e280a3464

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c01c2f5a7b73c37c876f69f68b736229

SHA1
aa6167e597f3a17f977fd8249d57961d420ae95f

SHA256
ecd3eacaa455b0f989e0b316d2014b6305e55e7d963d7d598496e9ac5898ac13

SHA512
f172f8139885e0ef987a995e96169cc84416512bad2593ef919f72b2b7e747a47dddccf3596d2d6c98de3cd5610e5226e893eb0f31fbb42a7e90f836433f0b67

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c01c2f5a7b73c37c876f69f68b736229

SHA1
aa6167e597f3a17f977fd8249d57961d420ae95f

SHA256
ecd3eacaa455b0f989e0b316d2014b6305e55e7d963d7d598496e9ac5898ac13

SHA512
f172f8139885e0ef987a995e96169cc84416512bad2593ef919f72b2b7e747a47dddccf3596d2d6c98de3cd5610e5226e893eb0f31fbb42a7e90f836433f0b67

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5bc9987d8c3874b3ba351e36f968ef66

SHA1
59ce554476601bf51d6c7bf778ef7b5ac11e6c8a

SHA256
1db02702b29719f77a0fb928e5f4d016d33ca49d290668d321eba99dd8d6090d

SHA512
8590d4002fe84feba339f5dee0cfe825d9ddc6de11d0e3cecc9ad965e802609ca142017cf08ee75b3e434f77351d2f90f49f2472a5d105b421dbe8d4cf3f58e1

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
5bc9987d8c3874b3ba351e36f968ef66

SHA1
59ce554476601bf51d6c7bf778ef7b5ac11e6c8a

SHA256
1db02702b29719f77a0fb928e5f4d016d33ca49d290668d321eba99dd8d6090d

SHA512
8590d4002fe84feba339f5dee0cfe825d9ddc6de11d0e3cecc9ad965e802609ca142017cf08ee75b3e434f77351d2f90f49f2472a5d105b421dbe8d4cf3f58e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0d1e6976531aa9cea69e0f0c3dc98566

SHA1
a030844ec932be31c4a52e24ecc4969b2e758798

SHA256
b9b75ddc0353e2aed0a15b106dcbf194c2282624892f7d086cd1887564fc447a

SHA512
0c5db936346205268d3f8d13d157252f6277ca972a41624df80bf46199426fbb8df153996d48506b7c9c9d60aa640f8e1cbe20018c40405c983eb6cf139297a9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0d1e6976531aa9cea69e0f0c3dc98566

SHA1
a030844ec932be31c4a52e24ecc4969b2e758798

SHA256
b9b75ddc0353e2aed0a15b106dcbf194c2282624892f7d086cd1887564fc447a

SHA512
0c5db936346205268d3f8d13d157252f6277ca972a41624df80bf46199426fbb8df153996d48506b7c9c9d60aa640f8e1cbe20018c40405c983eb6cf139297a9

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
f1f8bdef8b85d94e79bcfb46133e9b9e

SHA1
ffbc8910f53bc245f7af946ff200d350cdcd4260

SHA256
59220853da995ad4263f393c6e892e88e504d663aa2b895db4c7e242f72c51b5

SHA512
357551f9cfaf67cbebacb37f5daa75b1596f9407b936dc8602b85f3533a5811b29ea85cefdb7886cd5612bf011fbe57b43051e4e08f61d0a8f2d84c19be46523

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
f1f8bdef8b85d94e79bcfb46133e9b9e

SHA1
ffbc8910f53bc245f7af946ff200d350cdcd4260

SHA256
59220853da995ad4263f393c6e892e88e504d663aa2b895db4c7e242f72c51b5

SHA512
357551f9cfaf67cbebacb37f5daa75b1596f9407b936dc8602b85f3533a5811b29ea85cefdb7886cd5612bf011fbe57b43051e4e08f61d0a8f2d84c19be46523

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
c7af249fd71306061ce494aa1f0d786f

SHA1
95bbae667c669500bbbf996632fbfb2ea0cd3dbd

SHA256
0fa1bcca23433de5ee00edc8c37fb652227b804a2f4859bee00da638ce558898

SHA512
1944ac8bd44283d7ea5828900cf706df13c29c5da88c2e3428d8663c0f90667711e7baf528742b027d82ff4fff9f92490924b94151a03b4081e696991ac50c14

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
c7af249fd71306061ce494aa1f0d786f

SHA1
95bbae667c669500bbbf996632fbfb2ea0cd3dbd

SHA256
0fa1bcca23433de5ee00edc8c37fb652227b804a2f4859bee00da638ce558898

SHA512
1944ac8bd44283d7ea5828900cf706df13c29c5da88c2e3428d8663c0f90667711e7baf528742b027d82ff4fff9f92490924b94151a03b4081e696991ac50c14

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
053b14988f3a46865336778d5cfe9a15

SHA1
a30ec8970cf82172297dfb48f3308e24812a6bf9

SHA256
5bd62aaa2d1caf3d5c77c0089e198ed2d445732593bb7df68adb83ebcd215f7b

SHA512
99ed36db62eea4e4e879267877aea98988cf4238bfa8226e0183fb09a8c1d8e2a7acc57916fe9aace6c3f7a32e708d3ea5ba3bd3ae456f1924bb0ba2530e48c8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
053b14988f3a46865336778d5cfe9a15

SHA1
a30ec8970cf82172297dfb48f3308e24812a6bf9

SHA256
5bd62aaa2d1caf3d5c77c0089e198ed2d445732593bb7df68adb83ebcd215f7b

SHA512
99ed36db62eea4e4e879267877aea98988cf4238bfa8226e0183fb09a8c1d8e2a7acc57916fe9aace6c3f7a32e708d3ea5ba3bd3ae456f1924bb0ba2530e48c8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7e53782f95e539064c18d4350cfc875e

SHA1
ffcc75a6d76471fc5d7ff1003fc70de598c046c1

SHA256
d2228e86b4874ff0071a8a2e18d52906bf582ab59a3bd4ef70d440b7de56dfb1

SHA512
700d36f9e1b501b44e143dfebdb4364ec6fc712dee7632c8d4aa394df182ab4e3da17c9749f1dfa2b391d858d93bb439ca3e6382b7c14f0bc65dfec73e18436a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7e53782f95e539064c18d4350cfc875e

SHA1
ffcc75a6d76471fc5d7ff1003fc70de598c046c1

SHA256
d2228e86b4874ff0071a8a2e18d52906bf582ab59a3bd4ef70d440b7de56dfb1

SHA512
700d36f9e1b501b44e143dfebdb4364ec6fc712dee7632c8d4aa394df182ab4e3da17c9749f1dfa2b391d858d93bb439ca3e6382b7c14f0bc65dfec73e18436a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1e858d49cff9fcb5624d29b3043fda88

SHA1
623b25737d908bf8aef246e9443db1acad362520

SHA256
244299a5e2c5e9ecfd1f568c1bf353b55aeec92eb3c02453250d3207b93a5d42

SHA512
a27df48b078fbdf6fe667e2a429dada70a117659556318476d8fd822dff664541fe48dd6ca97f2f026141335f3f75161f9b5cfc3617bd7d9db0c827e280a3464

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1e858d49cff9fcb5624d29b3043fda88

SHA1
623b25737d908bf8aef246e9443db1acad362520

SHA256
244299a5e2c5e9ecfd1f568c1bf353b55aeec92eb3c02453250d3207b93a5d42

SHA512
a27df48b078fbdf6fe667e2a429dada70a117659556318476d8fd822dff664541fe48dd6ca97f2f026141335f3f75161f9b5cfc3617bd7d9db0c827e280a3464

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f0cecb7301ba6641207d64282df6162f

SHA1
6610af40fb6c7a63a1eadbd41d94e078485a11c3

SHA256
16a1655f23bb4561470947b6594cc55edc875bc7176074eea47326b0ce341088

SHA512
f48ee7cd4d274d5fdaf5fc4f58e8c41433fc97b6b1e24514d27414c58d1781ec969ad5cc82fe248e52e2f59728f9ed74cd1c343fc5781141eb7d971c750ba18c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
7e5d5eac6758b725cd29df99ba74f2a9

SHA1
78a64316946e6641ffad1789d3d471960ba3b025

SHA256
360254a3b2ef3098ff2069017d1219f9563f92908b8c5a7bc5647b026abf7984

SHA512
cb997f44985ab9800770786aedefe24a48a00e8c4846a4e773ab4777a6ffe2c6f7ea02fdd6216b1f2b85b83d50fe1990effa8b97b0d6b5de540ca971acf3b751

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c01c2f5a7b73c37c876f69f68b736229

SHA1
aa6167e597f3a17f977fd8249d57961d420ae95f

SHA256
ecd3eacaa455b0f989e0b316d2014b6305e55e7d963d7d598496e9ac5898ac13

SHA512
f172f8139885e0ef987a995e96169cc84416512bad2593ef919f72b2b7e747a47dddccf3596d2d6c98de3cd5610e5226e893eb0f31fbb42a7e90f836433f0b67

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c01c2f5a7b73c37c876f69f68b736229

SHA1
aa6167e597f3a17f977fd8249d57961d420ae95f

SHA256
ecd3eacaa455b0f989e0b316d2014b6305e55e7d963d7d598496e9ac5898ac13

SHA512
f172f8139885e0ef987a995e96169cc84416512bad2593ef919f72b2b7e747a47dddccf3596d2d6c98de3cd5610e5226e893eb0f31fbb42a7e90f836433f0b67

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5bc9987d8c3874b3ba351e36f968ef66

SHA1
59ce554476601bf51d6c7bf778ef7b5ac11e6c8a

SHA256
1db02702b29719f77a0fb928e5f4d016d33ca49d290668d321eba99dd8d6090d

SHA512
8590d4002fe84feba339f5dee0cfe825d9ddc6de11d0e3cecc9ad965e802609ca142017cf08ee75b3e434f77351d2f90f49f2472a5d105b421dbe8d4cf3f58e1

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
5bc9987d8c3874b3ba351e36f968ef66

SHA1
59ce554476601bf51d6c7bf778ef7b5ac11e6c8a

SHA256
1db02702b29719f77a0fb928e5f4d016d33ca49d290668d321eba99dd8d6090d

SHA512
8590d4002fe84feba339f5dee0cfe825d9ddc6de11d0e3cecc9ad965e802609ca142017cf08ee75b3e434f77351d2f90f49f2472a5d105b421dbe8d4cf3f58e1

Download Submit
\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\3715432083\System Restore.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
306333fa5363eba56fd46bd9278d0173

SHA1
7f15d106771055acde1d0526ba91eb283b398952

SHA256
d19946116e17fb4def2599046afca437b74e478f76438889bbda0b89f17dd124

SHA512
a3b3ec23fb5b7d1194e7a1e0d88d765d343fa04a4d048602ea6b7478b64aeca02c7f83c8d3985ca44de68de0d500063787e964f81fe7ca9f44583139b89cfb6f

Download Submit
memory/1312-98-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1312-111-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads