aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682

Analysis

max time kernel
157s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
Size

72KB
MD5

0b378b40a97125f91e82fdb1b6b68b09
SHA1

a13a049ea33b579e72c75e39c0ff3980fbb07c13
SHA256

aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682
SHA512

7900ac1a7ff5ee9f51087927b1f8ab7ba36232d86f9c8123ca95d3ffeb6277b59013e35159fb2622cefe3c1d96c0734d929a5a654fdcb563850e63aabd313ca7
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2m:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPS

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

Executes dropped EXE 64 IoCs

pid	Process
1984	backup.exe
1944	backup.exe
1488	backup.exe
1464	backup.exe
884	backup.exe
980	backup.exe
1768	data.exe
988	backup.exe
1040	backup.exe
1028	System Restore.exe
1584	backup.exe
1932	backup.exe
680	backup.exe
880	backup.exe
1688	backup.exe
1716	backup.exe
1304	backup.exe
1748	backup.exe
816	backup.exe
1700	backup.exe
1096	backup.exe
1964	backup.exe
964	backup.exe
1392	backup.exe
1124	backup.exe
1728	backup.exe
1464	backup.exe
1780	backup.exe
808	backup.exe
980	backup.exe
336	backup.exe
380	backup.exe
608	backup.exe
1296	backup.exe
1028	update.exe
1080	backup.exe
1404	backup.exe
1396	backup.exe
1144	backup.exe
756	backup.exe
1308	backup.exe
1744	backup.exe
1068	backup.exe
1716	backup.exe
1020	backup.exe
1860	backup.exe
1704	backup.exe
816	backup.exe
1072	backup.exe
588	backup.exe
1964	System Restore.exe
1428	System Restore.exe
964	backup.exe
1124	update.exe
1760	update.exe
1728	backup.exe
1780	backup.exe
1544	backup.exe
988	backup.exe
336	backup.exe
1056	backup.exe
608	backup.exe
1924	backup.exe
1940	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
884	backup.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
884	backup.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
1768	data.exe
1768	data.exe
884	backup.exe
884	backup.exe
1584	backup.exe
1584	backup.exe
1932	backup.exe
1932	backup.exe
1584	backup.exe
1584	backup.exe
880	backup.exe
880	backup.exe
1688	backup.exe
1688	backup.exe
1688	backup.exe
1688	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
1304	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe
808	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
1984	backup.exe
1944	backup.exe
1488	backup.exe
1464	backup.exe
884	backup.exe
980	backup.exe
1768	data.exe
988	backup.exe
1040	backup.exe
1028	System Restore.exe
1584	backup.exe
1932	backup.exe
680	backup.exe
880	backup.exe
1688	backup.exe
1716	backup.exe
1304	backup.exe
1748	backup.exe
816	backup.exe
1700	backup.exe
1096	backup.exe
1964	backup.exe
964	backup.exe
1392	backup.exe
1124	backup.exe
1728	backup.exe
1464	backup.exe
1780	backup.exe
808	backup.exe
980	backup.exe
336	backup.exe
380	backup.exe
608	backup.exe
1296	backup.exe
1028	update.exe
1080	backup.exe
1404	backup.exe
1396	backup.exe
1144	backup.exe
756	backup.exe
1308	backup.exe
1744	backup.exe
1068	backup.exe
1716	backup.exe
1020	backup.exe
1860	backup.exe
1704	backup.exe
816	backup.exe
1072	backup.exe
588	backup.exe
1964	System Restore.exe
964	backup.exe
1428	System Restore.exe
1728	backup.exe
1760	update.exe
1124	update.exe
1780	backup.exe
1544	backup.exe
336	backup.exe
988	backup.exe
1056	backup.exe
608	backup.exe
1924	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1984	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	26
PID 2020 wrote to memory of 1984	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	26
PID 2020 wrote to memory of 1984	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	26
PID 2020 wrote to memory of 1984	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	26
PID 2020 wrote to memory of 1944	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	27
PID 2020 wrote to memory of 1944	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	27
PID 2020 wrote to memory of 1944	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	27
PID 2020 wrote to memory of 1944	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	27
PID 2020 wrote to memory of 1488	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	28
PID 2020 wrote to memory of 1488	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	28
PID 2020 wrote to memory of 1488	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	28
PID 2020 wrote to memory of 1488	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	28
PID 2020 wrote to memory of 1464	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	29
PID 2020 wrote to memory of 1464	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	29
PID 2020 wrote to memory of 1464	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	29
PID 2020 wrote to memory of 1464	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	29
PID 1984 wrote to memory of 884	1984	backup.exe	30
PID 1984 wrote to memory of 884	1984	backup.exe	30
PID 1984 wrote to memory of 884	1984	backup.exe	30
PID 1984 wrote to memory of 884	1984	backup.exe	30
PID 2020 wrote to memory of 980	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	31
PID 2020 wrote to memory of 980	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	31
PID 2020 wrote to memory of 980	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	31
PID 2020 wrote to memory of 980	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	31
PID 884 wrote to memory of 1768	884	backup.exe	32
PID 884 wrote to memory of 1768	884	backup.exe	32
PID 884 wrote to memory of 1768	884	backup.exe	32
PID 884 wrote to memory of 1768	884	backup.exe	32
PID 2020 wrote to memory of 988	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	33
PID 2020 wrote to memory of 988	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	33
PID 2020 wrote to memory of 988	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	33
PID 2020 wrote to memory of 988	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	33
PID 2020 wrote to memory of 1040	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	34
PID 2020 wrote to memory of 1040	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	34
PID 2020 wrote to memory of 1040	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	34
PID 2020 wrote to memory of 1040	2020	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe	34
PID 1768 wrote to memory of 1028	1768	data.exe	35
PID 1768 wrote to memory of 1028	1768	data.exe	35
PID 1768 wrote to memory of 1028	1768	data.exe	35
PID 1768 wrote to memory of 1028	1768	data.exe	35
PID 884 wrote to memory of 1584	884	backup.exe	36
PID 884 wrote to memory of 1584	884	backup.exe	36
PID 884 wrote to memory of 1584	884	backup.exe	36
PID 884 wrote to memory of 1584	884	backup.exe	36
PID 1584 wrote to memory of 1932	1584	backup.exe	37
PID 1584 wrote to memory of 1932	1584	backup.exe	37
PID 1584 wrote to memory of 1932	1584	backup.exe	37
PID 1584 wrote to memory of 1932	1584	backup.exe	37
PID 1932 wrote to memory of 680	1932	backup.exe	38
PID 1932 wrote to memory of 680	1932	backup.exe	38
PID 1932 wrote to memory of 680	1932	backup.exe	38
PID 1932 wrote to memory of 680	1932	backup.exe	38
PID 1584 wrote to memory of 880	1584	backup.exe	39
PID 1584 wrote to memory of 880	1584	backup.exe	39
PID 1584 wrote to memory of 880	1584	backup.exe	39
PID 1584 wrote to memory of 880	1584	backup.exe	39
PID 880 wrote to memory of 1688	880	backup.exe	40
PID 880 wrote to memory of 1688	880	backup.exe	40
PID 880 wrote to memory of 1688	880	backup.exe	40
PID 880 wrote to memory of 1688	880	backup.exe	40
PID 1688 wrote to memory of 1716	1688	backup.exe	41
PID 1688 wrote to memory of 1716	1688	backup.exe	41
PID 1688 wrote to memory of 1716	1688	backup.exe	41
PID 1688 wrote to memory of 1716	1688	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe
"C:\Users\Admin\AppData\Local\Temp\aab8b15968dcb5bd404373def090c874c5fbcd37caa5545a67b2971160d7c682.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020
- C:\Users\Admin\AppData\Local\Temp\3109976410\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3109976410\backup.exe C:\Users\Admin\AppData\Local\Temp\3109976410\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\PerfLogs\data.exe
      C:\PerfLogs\data.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1768
    - - C:\PerfLogs\Admin\System Restore.exe
        
        "C:\PerfLogs\Admin\System Restore.exe" C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1584
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        System policy modification
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1440
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1724
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:588
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1600
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Program Files\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\update.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:468
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1460
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1436
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1748
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1492
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1760
        
        C:\Program Files\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:1800
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1088
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1144
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1020
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
      - C:\Program Files\DVD Maker\en-US\System Restore.exe
        
        "C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
      - C:\Program Files\DVD Maker\es-ES\update.exe
        
        "C:\Program Files\DVD Maker\es-ES\update.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:608
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1940
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1144
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1308
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1072
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:776
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:812
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        System policy modification
        
        PID:1468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        System policy modification
        
        PID:1176
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2024
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:816
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:588
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2160
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2280
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:2384
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:892
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System policy modification
        
        PID:2016
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:336
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:812
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1068
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1492
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1392
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2152
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:2288
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2392
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:684
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:836
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1040
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2004
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:432
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1924
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2128
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2216
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2336
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1744
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1404
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1404
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2404
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1812
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:1056
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:296
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1928
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Drops file in Program Files directory
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:2420
      - C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\System Restore.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1732
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1412
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1700
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Common Files\System\update.exe
        
        "C:\Program Files (x86)\Common Files\System\update.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2224
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:880
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2200
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2344
    - - C:\Program Files (x86)\Internet Explorer\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\update.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:860
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2208
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2352
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:276
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:680
      - C:\Users\Admin\Desktop\update.exe
        
        C:\Users\Admin\Desktop\update.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1664
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:776
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1428
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1300
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2060
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2168
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2272
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2376
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1840
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:976
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:980
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:988
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
90be1cf298d69df76e67d0bc467ba9db

SHA1
d2e71fa2bfeafccdeb86218186b4852f40fa7733

SHA256
22997b914f7a80a7b7e419e32bdfc933ce9a082a3780f394a19a8c13b389a4ba

SHA512
285568fff0be6b588b6de4aae8bf5b0a0c0b7029e4e313b58ebc2f76cd9e3f40de64f150210ffde2c23069a170ccc3cb173310093d42580989c9f60214823699

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
a9361797cbd50f4544254e8f7fde11f3

SHA1
ba059bbe4dcc6e23cc5345c523ec8423d2478cfb

SHA256
ad667c15da1e514014a3447928aac0828264c67681a081d3ed7dce8c3b3ec3c1

SHA512
40f25b851b14a755f540ad2551d44f4760411d3912b1a004a616080d42fd9ee1baebb67dd160fec84255c4035a7015c7108b529fc8089a4ff7ae1573baebb22d

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
a9361797cbd50f4544254e8f7fde11f3

SHA1
ba059bbe4dcc6e23cc5345c523ec8423d2478cfb

SHA256
ad667c15da1e514014a3447928aac0828264c67681a081d3ed7dce8c3b3ec3c1

SHA512
40f25b851b14a755f540ad2551d44f4760411d3912b1a004a616080d42fd9ee1baebb67dd160fec84255c4035a7015c7108b529fc8089a4ff7ae1573baebb22d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
071bd299abf19dc61ce9c1d96595fe8d

SHA1
d37f93e8c8923aee164664f90cf4d32475d164bb

SHA256
8ee785f485c03c90847d0ec9c02846dc750c62522591d439c34edc64495624fa

SHA512
2a1c34cd6c705f376451f77f341cbd8226a04776cbe6d966cd4b1ef4d630ddcc4624554587c5f514a452e6cff0353799efe45ab379bc03e78ff8e3424a7d14b4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
63e5fb9341d632fec93c3b17e28d8b80

SHA1
d105d8dff2f71e1c057c49e0df9041638d0e3fa8

SHA256
92abd60a2b276c3412e3130c01e606e7e6a1f6d2a18d94fe28595347e0afa728

SHA512
4ac746eee3058960b40ab038fd61062be3f140eee8e0bafa2ac768718e9ec2e8bcef78a81887d572d682f1e929adc5e5d6f662d5c6bab9f6db752a22861b193f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0a4b9b65184848d4177a3fed8822e1d6

SHA1
91ee4f8e22d5fa50efb8a0649ccc49a47254e4d6

SHA256
b54d63275c54b22cd70860f236155dd1c8f1d59a2903c4bcd84509cc712f4032

SHA512
f6e0f2b46c08b4c4ec8bea7dbfcaafc0819a0b4cd8ea6c4f5f05b1d8baead37575471ae599b6466eb1f5f711cee0c3888d97284c0ce13db5f6cff76430e686b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0a4b9b65184848d4177a3fed8822e1d6

SHA1
91ee4f8e22d5fa50efb8a0649ccc49a47254e4d6

SHA256
b54d63275c54b22cd70860f236155dd1c8f1d59a2903c4bcd84509cc712f4032

SHA512
f6e0f2b46c08b4c4ec8bea7dbfcaafc0819a0b4cd8ea6c4f5f05b1d8baead37575471ae599b6466eb1f5f711cee0c3888d97284c0ce13db5f6cff76430e686b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a27de04ef0997d3363878c6520e73060

SHA1
05aeb48f9b1dc6c2c3ad296c643cecbdec54c626

SHA256
9c5a19514d12547f9df5ff6942b4d278de47b7aec6f97df905f36936710bb7e8

SHA512
8d20d39f20440017aa6e4e855791e1d43d5525f68c926ca16ddc58b27145ecaface03af119e19932e0b32fb381ef2eeba4029a61bf35bf3664f316241559ad30

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a27de04ef0997d3363878c6520e73060

SHA1
05aeb48f9b1dc6c2c3ad296c643cecbdec54c626

SHA256
9c5a19514d12547f9df5ff6942b4d278de47b7aec6f97df905f36936710bb7e8

SHA512
8d20d39f20440017aa6e4e855791e1d43d5525f68c926ca16ddc58b27145ecaface03af119e19932e0b32fb381ef2eeba4029a61bf35bf3664f316241559ad30

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2988b8ebd937a652ec4e4ebef5f48ed3

SHA1
0a4955dea0eb4142a0999ec59ff35898c7f1591e

SHA256
800e971bf7433f4dc2b79c0c3a0ffd289a4fdb602fa8a451a3fceae8cf750b6b

SHA512
94d6a851c9bb84dc19350c9f4b87acd098d986a4d8c0e68e59e8c73a59535e5e691239a83dc6939edd0b4a66ed4a7f914555f7b2b641e9aef16a1cb55f190feb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2988b8ebd937a652ec4e4ebef5f48ed3

SHA1
0a4955dea0eb4142a0999ec59ff35898c7f1591e

SHA256
800e971bf7433f4dc2b79c0c3a0ffd289a4fdb602fa8a451a3fceae8cf750b6b

SHA512
94d6a851c9bb84dc19350c9f4b87acd098d986a4d8c0e68e59e8c73a59535e5e691239a83dc6939edd0b4a66ed4a7f914555f7b2b641e9aef16a1cb55f190feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3109976410\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3109976410\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fa764de2f53d1e101cda5c8e6567c831

SHA1
d3e4d8976e464fa6c3af1a842ddac135fea4e950

SHA256
73ec56a5da6cae00a18454d53af54d33dbcca761e4bfbba97553149116726718

SHA512
4eb6a9feee064c63e075600eadbbd4903313d37b0ab029b7a5b92c0c5898bc7c110520bcc58446130cb3240f4f67479b4ce7b4f263e9c4fe7c1e365b9034b60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
14cf159d782fc6b7565e100799ee3b4f

SHA1
24acdb29b4791024c7ad86fe7904fb8dae33e5c3

SHA256
196fdf7a5c40881a88e4dfd95612c036c089e117b191b38d3d1838043abee6d0

SHA512
d809453baffb14568fe6fd7e3060411bf4d0512b8e034d7fa452f2f62e993b22b32bf16bf921c5e737474fa716a315c52270b2645fc2a678e9863916a3f13a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2205d4bf376bae6a8b4753924c81fedd

SHA1
3d202cb0dd5ed737344b284d653dbd5597c86109

SHA256
5fa31a19dbde85588767571f0ab61b9f35f3f5200da7454471ee3b0a226e655c

SHA512
3acfe5338ec070ba0312e61c190a75a383e122bbc47c5e5da36ed1ba63162dd99e2ecd2c0534b55983a3c757eace183afb9132d44e717f974f6682884d7525b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d41316cd8f19d48449d76e034029f4e6

SHA1
ca4d8942fffd7ac729c43b63db887f51457dd1b3

SHA256
b58cc6a4195ea204f1d3e597d772dacb19fb18cc6ab89bfe442b672b2861499d

SHA512
1f4296ea5e7f825e559bbbb64d68d0dc8b902c8ff2371bcbf04c9cbc4a71400078249ecb5f04c2551cda24d7eea8a01cf6eb7cc4be60bb4c1242a2e5938e900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b85504b2db1d6cee0bf49e1a8e4dbec4

SHA1
f9736888efff88c465775a04f75ac18524a59918

SHA256
65346c52af3743d24495482301edd00d91bb194033d874dd615ead00b5248b18

SHA512
a7d6b182b0405396bc643268bd4b62574a1df73ee127a671dcbcd371cb374bf2c67ecd7b9b029e163f830effcad98efec6bba183d4a02a471bd1b29303b091b1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
aae7246c79d1dd6da4217e031bf7f121

SHA1
7be1e620fda1ee15a67f5bd8783ad060fb75fa3f

SHA256
2d4213ee6b9b2d0e1be68c715524f7a8c92dd262dc1e08134cd48c1e899262fe

SHA512
76002422dbda5d69f3465efcf598f827b5b3971e420325a335393ee7c3964e3df55d5811ceb1e3ccb4947aca4e3f2a57018bbd7923b41a6289e8df9cc20775fa

Download Submit
C:\backup.exe

Filesize
72KB

MD5
aae7246c79d1dd6da4217e031bf7f121

SHA1
7be1e620fda1ee15a67f5bd8783ad060fb75fa3f

SHA256
2d4213ee6b9b2d0e1be68c715524f7a8c92dd262dc1e08134cd48c1e899262fe

SHA512
76002422dbda5d69f3465efcf598f827b5b3971e420325a335393ee7c3964e3df55d5811ceb1e3ccb4947aca4e3f2a57018bbd7923b41a6289e8df9cc20775fa

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
90be1cf298d69df76e67d0bc467ba9db

SHA1
d2e71fa2bfeafccdeb86218186b4852f40fa7733

SHA256
22997b914f7a80a7b7e419e32bdfc933ce9a082a3780f394a19a8c13b389a4ba

SHA512
285568fff0be6b588b6de4aae8bf5b0a0c0b7029e4e313b58ebc2f76cd9e3f40de64f150210ffde2c23069a170ccc3cb173310093d42580989c9f60214823699

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
90be1cf298d69df76e67d0bc467ba9db

SHA1
d2e71fa2bfeafccdeb86218186b4852f40fa7733

SHA256
22997b914f7a80a7b7e419e32bdfc933ce9a082a3780f394a19a8c13b389a4ba

SHA512
285568fff0be6b588b6de4aae8bf5b0a0c0b7029e4e313b58ebc2f76cd9e3f40de64f150210ffde2c23069a170ccc3cb173310093d42580989c9f60214823699

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
a9361797cbd50f4544254e8f7fde11f3

SHA1
ba059bbe4dcc6e23cc5345c523ec8423d2478cfb

SHA256
ad667c15da1e514014a3447928aac0828264c67681a081d3ed7dce8c3b3ec3c1

SHA512
40f25b851b14a755f540ad2551d44f4760411d3912b1a004a616080d42fd9ee1baebb67dd160fec84255c4035a7015c7108b529fc8089a4ff7ae1573baebb22d

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
a9361797cbd50f4544254e8f7fde11f3

SHA1
ba059bbe4dcc6e23cc5345c523ec8423d2478cfb

SHA256
ad667c15da1e514014a3447928aac0828264c67681a081d3ed7dce8c3b3ec3c1

SHA512
40f25b851b14a755f540ad2551d44f4760411d3912b1a004a616080d42fd9ee1baebb67dd160fec84255c4035a7015c7108b529fc8089a4ff7ae1573baebb22d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
071bd299abf19dc61ce9c1d96595fe8d

SHA1
d37f93e8c8923aee164664f90cf4d32475d164bb

SHA256
8ee785f485c03c90847d0ec9c02846dc750c62522591d439c34edc64495624fa

SHA512
2a1c34cd6c705f376451f77f341cbd8226a04776cbe6d966cd4b1ef4d630ddcc4624554587c5f514a452e6cff0353799efe45ab379bc03e78ff8e3424a7d14b4

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
071bd299abf19dc61ce9c1d96595fe8d

SHA1
d37f93e8c8923aee164664f90cf4d32475d164bb

SHA256
8ee785f485c03c90847d0ec9c02846dc750c62522591d439c34edc64495624fa

SHA512
2a1c34cd6c705f376451f77f341cbd8226a04776cbe6d966cd4b1ef4d630ddcc4624554587c5f514a452e6cff0353799efe45ab379bc03e78ff8e3424a7d14b4

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
63e5fb9341d632fec93c3b17e28d8b80

SHA1
d105d8dff2f71e1c057c49e0df9041638d0e3fa8

SHA256
92abd60a2b276c3412e3130c01e606e7e6a1f6d2a18d94fe28595347e0afa728

SHA512
4ac746eee3058960b40ab038fd61062be3f140eee8e0bafa2ac768718e9ec2e8bcef78a81887d572d682f1e929adc5e5d6f662d5c6bab9f6db752a22861b193f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
63e5fb9341d632fec93c3b17e28d8b80

SHA1
d105d8dff2f71e1c057c49e0df9041638d0e3fa8

SHA256
92abd60a2b276c3412e3130c01e606e7e6a1f6d2a18d94fe28595347e0afa728

SHA512
4ac746eee3058960b40ab038fd61062be3f140eee8e0bafa2ac768718e9ec2e8bcef78a81887d572d682f1e929adc5e5d6f662d5c6bab9f6db752a22861b193f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0a4b9b65184848d4177a3fed8822e1d6

SHA1
91ee4f8e22d5fa50efb8a0649ccc49a47254e4d6

SHA256
b54d63275c54b22cd70860f236155dd1c8f1d59a2903c4bcd84509cc712f4032

SHA512
f6e0f2b46c08b4c4ec8bea7dbfcaafc0819a0b4cd8ea6c4f5f05b1d8baead37575471ae599b6466eb1f5f711cee0c3888d97284c0ce13db5f6cff76430e686b2

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0a4b9b65184848d4177a3fed8822e1d6

SHA1
91ee4f8e22d5fa50efb8a0649ccc49a47254e4d6

SHA256
b54d63275c54b22cd70860f236155dd1c8f1d59a2903c4bcd84509cc712f4032

SHA512
f6e0f2b46c08b4c4ec8bea7dbfcaafc0819a0b4cd8ea6c4f5f05b1d8baead37575471ae599b6466eb1f5f711cee0c3888d97284c0ce13db5f6cff76430e686b2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a27de04ef0997d3363878c6520e73060

SHA1
05aeb48f9b1dc6c2c3ad296c643cecbdec54c626

SHA256
9c5a19514d12547f9df5ff6942b4d278de47b7aec6f97df905f36936710bb7e8

SHA512
8d20d39f20440017aa6e4e855791e1d43d5525f68c926ca16ddc58b27145ecaface03af119e19932e0b32fb381ef2eeba4029a61bf35bf3664f316241559ad30

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
a27de04ef0997d3363878c6520e73060

SHA1
05aeb48f9b1dc6c2c3ad296c643cecbdec54c626

SHA256
9c5a19514d12547f9df5ff6942b4d278de47b7aec6f97df905f36936710bb7e8

SHA512
8d20d39f20440017aa6e4e855791e1d43d5525f68c926ca16ddc58b27145ecaface03af119e19932e0b32fb381ef2eeba4029a61bf35bf3664f316241559ad30

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
6cb5ba61ffbbfef27722a7ca3726c9ff

SHA1
afda44a06ced79f262c5d8f4b5afd3d25dfc449d

SHA256
57295e3ac182855b25fa620b11a22dff68230fcd0f4e0a6e3e17f34cc19e8ad0

SHA512
530d888936dcf1365ad82086029211e7894e2c1e69a911a03ac8a42157bfc234c15a801f7820dd7b2bc478757efb5a5649cdc479c9d33d91d1ee7d6e62ff5ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
db8d9f99875135121a5726a3f63e1214

SHA1
7f72c15ab1a914a95d7b3c7187c6b138249c4b93

SHA256
55961ff77f0565dbb60c7859c0c4878e62bdd86ac7340ce63e15235b84cf4a55

SHA512
e4311356977eb2bf1225e707439791940f4042cad266190b555d0d6d4651dd0721427c118a6e26ca44e4b04371e7d06d9b1e5ee29bcf23f40e706da2d8838642

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
b0a014138ea6736b81b1532912bf6884

SHA1
7f8d351206d7719ba6c63cadcc1b2473ef3c6e7f

SHA256
bd94f09f0177e901657347525a2972a41eed24b59e6f836a30ab9bf8047a782b

SHA512
a621ace06afebaa1296fcfeb3275a9e9a1a4689ffc49c5bdf4769de3437f401635857cdb804a1ef6f9858d7cc70999d58a8e8d8fb1a9768480ee0018b159fa4c

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2988b8ebd937a652ec4e4ebef5f48ed3

SHA1
0a4955dea0eb4142a0999ec59ff35898c7f1591e

SHA256
800e971bf7433f4dc2b79c0c3a0ffd289a4fdb602fa8a451a3fceae8cf750b6b

SHA512
94d6a851c9bb84dc19350c9f4b87acd098d986a4d8c0e68e59e8c73a59535e5e691239a83dc6939edd0b4a66ed4a7f914555f7b2b641e9aef16a1cb55f190feb

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2988b8ebd937a652ec4e4ebef5f48ed3

SHA1
0a4955dea0eb4142a0999ec59ff35898c7f1591e

SHA256
800e971bf7433f4dc2b79c0c3a0ffd289a4fdb602fa8a451a3fceae8cf750b6b

SHA512
94d6a851c9bb84dc19350c9f4b87acd098d986a4d8c0e68e59e8c73a59535e5e691239a83dc6939edd0b4a66ed4a7f914555f7b2b641e9aef16a1cb55f190feb

Download Submit
\Users\Admin\AppData\Local\Temp\3109976410\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
\Users\Admin\AppData\Local\Temp\3109976410\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fa764de2f53d1e101cda5c8e6567c831

SHA1
d3e4d8976e464fa6c3af1a842ddac135fea4e950

SHA256
73ec56a5da6cae00a18454d53af54d33dbcca761e4bfbba97553149116726718

SHA512
4eb6a9feee064c63e075600eadbbd4903313d37b0ab029b7a5b92c0c5898bc7c110520bcc58446130cb3240f4f67479b4ce7b4f263e9c4fe7c1e365b9034b60b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fa764de2f53d1e101cda5c8e6567c831

SHA1
d3e4d8976e464fa6c3af1a842ddac135fea4e950

SHA256
73ec56a5da6cae00a18454d53af54d33dbcca761e4bfbba97553149116726718

SHA512
4eb6a9feee064c63e075600eadbbd4903313d37b0ab029b7a5b92c0c5898bc7c110520bcc58446130cb3240f4f67479b4ce7b4f263e9c4fe7c1e365b9034b60b

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
14cf159d782fc6b7565e100799ee3b4f

SHA1
24acdb29b4791024c7ad86fe7904fb8dae33e5c3

SHA256
196fdf7a5c40881a88e4dfd95612c036c089e117b191b38d3d1838043abee6d0

SHA512
d809453baffb14568fe6fd7e3060411bf4d0512b8e034d7fa452f2f62e993b22b32bf16bf921c5e737474fa716a315c52270b2645fc2a678e9863916a3f13a50

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
14cf159d782fc6b7565e100799ee3b4f

SHA1
24acdb29b4791024c7ad86fe7904fb8dae33e5c3

SHA256
196fdf7a5c40881a88e4dfd95612c036c089e117b191b38d3d1838043abee6d0

SHA512
d809453baffb14568fe6fd7e3060411bf4d0512b8e034d7fa452f2f62e993b22b32bf16bf921c5e737474fa716a315c52270b2645fc2a678e9863916a3f13a50

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2205d4bf376bae6a8b4753924c81fedd

SHA1
3d202cb0dd5ed737344b284d653dbd5597c86109

SHA256
5fa31a19dbde85588767571f0ab61b9f35f3f5200da7454471ee3b0a226e655c

SHA512
3acfe5338ec070ba0312e61c190a75a383e122bbc47c5e5da36ed1ba63162dd99e2ecd2c0534b55983a3c757eace183afb9132d44e717f974f6682884d7525b6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2205d4bf376bae6a8b4753924c81fedd

SHA1
3d202cb0dd5ed737344b284d653dbd5597c86109

SHA256
5fa31a19dbde85588767571f0ab61b9f35f3f5200da7454471ee3b0a226e655c

SHA512
3acfe5338ec070ba0312e61c190a75a383e122bbc47c5e5da36ed1ba63162dd99e2ecd2c0534b55983a3c757eace183afb9132d44e717f974f6682884d7525b6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d41316cd8f19d48449d76e034029f4e6

SHA1
ca4d8942fffd7ac729c43b63db887f51457dd1b3

SHA256
b58cc6a4195ea204f1d3e597d772dacb19fb18cc6ab89bfe442b672b2861499d

SHA512
1f4296ea5e7f825e559bbbb64d68d0dc8b902c8ff2371bcbf04c9cbc4a71400078249ecb5f04c2551cda24d7eea8a01cf6eb7cc4be60bb4c1242a2e5938e900c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d41316cd8f19d48449d76e034029f4e6

SHA1
ca4d8942fffd7ac729c43b63db887f51457dd1b3

SHA256
b58cc6a4195ea204f1d3e597d772dacb19fb18cc6ab89bfe442b672b2861499d

SHA512
1f4296ea5e7f825e559bbbb64d68d0dc8b902c8ff2371bcbf04c9cbc4a71400078249ecb5f04c2551cda24d7eea8a01cf6eb7cc4be60bb4c1242a2e5938e900c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
18f1f7d5bd2fa953795002db9ddeaf17

SHA1
2c3f69c0ee8080059707673e0515d4741b02756a

SHA256
0fbca3977a465fe6761119e609fbd419abac7797e081d5dbe502c07016fa0c67

SHA512
641e1d1194e1da1eaff59c6f7eb752244abd3482f4ed6fba66bceeba1d683157d1b39884f4d8e191283bed052e92849078d58b1ed1bed4aeee14ad7e951a8ae4

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b85504b2db1d6cee0bf49e1a8e4dbec4

SHA1
f9736888efff88c465775a04f75ac18524a59918

SHA256
65346c52af3743d24495482301edd00d91bb194033d874dd615ead00b5248b18

SHA512
a7d6b182b0405396bc643268bd4b62574a1df73ee127a671dcbcd371cb374bf2c67ecd7b9b029e163f830effcad98efec6bba183d4a02a471bd1b29303b091b1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b85504b2db1d6cee0bf49e1a8e4dbec4

SHA1
f9736888efff88c465775a04f75ac18524a59918

SHA256
65346c52af3743d24495482301edd00d91bb194033d874dd615ead00b5248b18

SHA512
a7d6b182b0405396bc643268bd4b62574a1df73ee127a671dcbcd371cb374bf2c67ecd7b9b029e163f830effcad98efec6bba183d4a02a471bd1b29303b091b1

Download Submit
memory/2020-117-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads