38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120

Analysis

max time kernel
149s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
Size

72KB
MD5

19d8406c23fbe460f9a78d098ac24697
SHA1

87bda2f016611d64d7480b495e9a502e53dc7d6e
SHA256

38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120
SHA512

6f458cb2522174f2286f584bdedab17c64db3cbde0d0875a1c544c7501426089a0652a633887983d59d38fbbaa538598f5c2a14229e8e4f906d6a378b0513709
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2N:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1760	update.exe
588	backup.exe
1112	backup.exe
888	backup.exe
2016	backup.exe
708	backup.exe
1916	backup.exe
688	backup.exe
1836	System Restore.exe
1972	backup.exe
1572	backup.exe
1744	backup.exe
1808	backup.exe
1788	backup.exe
548	backup.exe
1216	backup.exe
1736	backup.exe
1472	backup.exe
588	backup.exe
948	backup.exe
472	backup.exe
984	backup.exe
1912	backup.exe
708	backup.exe
112	backup.exe
1596	backup.exe
1584	backup.exe
1680	backup.exe
980	backup.exe
1308	backup.exe
1268	backup.exe
968	System Restore.exe
344	backup.exe
1124	backup.exe
1920	backup.exe
1372	backup.exe
1908	backup.exe
1304	backup.exe
1744	backup.exe
1020	data.exe
900	backup.exe
524	backup.exe
1480	backup.exe
332	backup.exe
992	backup.exe
320	backup.exe
2016	update.exe
1952	backup.exe
1580	backup.exe
1504	backup.exe
2000	backup.exe
1420	backup.exe
1932	backup.exe
2008	backup.exe
1984	backup.exe
1768	backup.exe
912	backup.exe
1752	backup.exe
2004	backup.exe
1844	backup.exe
1556	System Restore.exe
1120	backup.exe
1328	backup.exe
1892	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1760	update.exe
1760	update.exe
1760	update.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
688	backup.exe
688	backup.exe
1836	System Restore.exe
1836	System Restore.exe
1836	System Restore.exe
1836	System Restore.exe
1836	System Restore.exe
1972	backup.exe
1972	backup.exe
1972	backup.exe
688	backup.exe
688	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1572	backup.exe
1744	backup.exe
1744	backup.exe
1744	backup.exe
1744	backup.exe
1744	backup.exe
1808	backup.exe
1808	backup.exe
1808	backup.exe
1572	backup.exe
1572	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
1788	backup.exe
548	backup.exe
548	backup.exe
548	backup.exe
548	backup.exe
548	backup.exe
1216	backup.exe
1216	backup.exe
1216	backup.exe
548	backup.exe
548	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1736	backup.exe
1472	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\data.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\System Restore.exe	backup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
1760	update.exe
588	backup.exe
1112	backup.exe
888	backup.exe
2016	backup.exe
708	backup.exe
1916	backup.exe
688	backup.exe
1836	System Restore.exe
1972	backup.exe
1572	backup.exe
1744	backup.exe
1808	backup.exe
1788	backup.exe
548	backup.exe
1216	backup.exe
1736	backup.exe
1472	backup.exe
588	backup.exe
948	backup.exe
472	backup.exe
984	backup.exe
1912	backup.exe
708	backup.exe
112	backup.exe
1596	backup.exe
1584	backup.exe
1680	backup.exe
980	backup.exe
1308	backup.exe
1268	backup.exe
968	System Restore.exe
344	backup.exe
1124	backup.exe
1920	backup.exe
1372	backup.exe
1908	backup.exe
1304	backup.exe
1744	backup.exe
1020	data.exe
900	backup.exe
524	backup.exe
1480	backup.exe
332	backup.exe
992	backup.exe
320	backup.exe
2016	update.exe
1952	backup.exe
1580	backup.exe
1504	backup.exe
2000	backup.exe
1420	backup.exe
1932	backup.exe
2008	backup.exe
1984	backup.exe
1768	backup.exe
912	backup.exe
1752	backup.exe
2004	backup.exe
1844	backup.exe
1556	System Restore.exe
1120	backup.exe
1328	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 1760	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	26
PID 1552 wrote to memory of 588	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	27
PID 1552 wrote to memory of 588	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	27
PID 1552 wrote to memory of 588	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	27
PID 1552 wrote to memory of 588	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	27
PID 1552 wrote to memory of 1112	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	28
PID 1552 wrote to memory of 1112	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	28
PID 1552 wrote to memory of 1112	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	28
PID 1552 wrote to memory of 1112	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	28
PID 1552 wrote to memory of 888	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	29
PID 1552 wrote to memory of 888	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	29
PID 1552 wrote to memory of 888	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	29
PID 1552 wrote to memory of 888	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	29
PID 1552 wrote to memory of 2016	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	30
PID 1552 wrote to memory of 2016	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	30
PID 1552 wrote to memory of 2016	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	30
PID 1552 wrote to memory of 2016	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	30
PID 1552 wrote to memory of 708	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	31
PID 1552 wrote to memory of 708	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	31
PID 1552 wrote to memory of 708	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	31
PID 1552 wrote to memory of 708	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	31
PID 1552 wrote to memory of 1916	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	32
PID 1552 wrote to memory of 1916	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	32
PID 1552 wrote to memory of 1916	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	32
PID 1552 wrote to memory of 1916	1552	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe	32
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 1760 wrote to memory of 688	1760	update.exe	33
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 688 wrote to memory of 1836	688	backup.exe	34
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 1836 wrote to memory of 1972	1836	System Restore.exe	35
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 688 wrote to memory of 1572	688	backup.exe	36
PID 1572 wrote to memory of 1744	1572	backup.exe	37
PID 1572 wrote to memory of 1744	1572	backup.exe	37
PID 1572 wrote to memory of 1744	1572	backup.exe	37
PID 1572 wrote to memory of 1744	1572	backup.exe	37
PID 1572 wrote to memory of 1744	1572	backup.exe	37

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe
"C:\Users\Admin\AppData\Local\Temp\38a747c1a86eae2e1bdfee87795fb0a716ae9ba63a6457d8799cdca7bc0fe120.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1552
- C:\Users\Admin\AppData\Local\Temp\3539623647\update.exe
  C:\Users\Admin\AppData\Local\Temp\3539623647\update.exe C:\Users\Admin\AppData\Local\Temp\3539623647\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:688
  - - C:\PerfLogs\System Restore.exe
      "C:\PerfLogs\System Restore.exe" C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1572
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1744
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1808
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1808
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1420
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1584
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1308
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1800
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2024
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:632
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1296
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2100
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2424
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2688
    - - C:\Program Files\DVD Maker\data.exe
        
        "C:\Program Files\DVD Maker\data.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1728
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1848
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        System policy modification
        
        PID:1412
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:904
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:552
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:868
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:240
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1916
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1316
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        System policy modification
        
        PID:640
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1916
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1964
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2248
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2548
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1988
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:320
        
        C:\Program Files\Google\Chrome\Application\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:900
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1616
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:2472
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:2732
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:2344
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2680
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1116
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1424
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:992
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:552
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:784
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2280
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2656
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:364
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Drops file in Program Files directory
        
        PID:1036
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1716
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1120
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2312
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2584
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1940
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1648
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2036
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2524
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2264
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2560
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:112
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1680
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:1372
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1472
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:2592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2208
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:896
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:676
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1980
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1744
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1216
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1124
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1972
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:640
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:2296
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2568
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:896
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2328
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2696
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1412
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1176
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:1624
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1828
      - C:\Program Files (x86)\Google\Update\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\System Restore.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        System policy modification
        
        PID:2216
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\System Restore.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:2620
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:708
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:572
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:1584
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1912
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        Disables RegEdit via registry modification
        
        PID:808
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2224
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:988
    - - C:\Program Files (x86)\Microsoft Synchronization Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\update.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2272
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2600
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:612
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1068
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1320
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1260
      - C:\Users\Admin\Documents\update.exe
        
        C:\Users\Admin\Documents\update.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:612
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2320
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2668
    - - C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        5⤵
        
        PID:1892
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      System policy modification
      PID:1076
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:832
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1780
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1916
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:436
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:2488
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2740
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2304
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:2636
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2576
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:588
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:708
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
C:\backup.exe

Filesize
72KB

MD5
20dbe6f8adad55c4247023ca68c8fd54

SHA1
e3817cf63a2e820dd0a11a359f65bcc35cccb1ef

SHA256
efe594422674eca54e67656f281bef0121ff170b8e8fb217f91fc90c2857840a

SHA512
19dcd9bf849e6070b444b0cbdaf02ffd2e2b9ce4f7a10bd1bdc70059872c0d291044c4e4afd8c3a3021f7e7e69498ec15fec7a01888e06b46b1fc96dca09311b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
20dbe6f8adad55c4247023ca68c8fd54

SHA1
e3817cf63a2e820dd0a11a359f65bcc35cccb1ef

SHA256
efe594422674eca54e67656f281bef0121ff170b8e8fb217f91fc90c2857840a

SHA512
19dcd9bf849e6070b444b0cbdaf02ffd2e2b9ce4f7a10bd1bdc70059872c0d291044c4e4afd8c3a3021f7e7e69498ec15fec7a01888e06b46b1fc96dca09311b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1579760b94988bcae5b96f586ff8ccc7

SHA1
8bfe62db4495278ee461d420ec4b9854ffda0e85

SHA256
6ce53ccf4c0e212927f1bf8777fce85bb7807c99f73d4863fb6fe1a7ba9a18d2

SHA512
1ccee77fe5790ba169ebdfaa98fea756a39a65c9953f7df9b8a8688cf22a4ab6449335a5691cb98af184a57ce77b25e9fbb53366455b1788f447d27886c2ab92

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
3f1aba6389ff4c4b90df72c1eced6bae

SHA1
78e2a3000cd7d7abe2591e14139df12b72ffd5ae

SHA256
d9c022b9127e806f1caa37e6f31737715e77fa5a8e2ce47affed13693cf83462

SHA512
083fb340362aed789d0931c67bb486e8256dc8b3530bd23cf86c99cf86987bd2c726be0b40e9b752ba6460a1a69d9c2ccdc1a162d2bb20eeb79c508a8ad6e4fd

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e96b513e32bb456a8a716cb259f8ed1b

SHA1
498d1e0d8dd67a4000703afff453e5f68425655e

SHA256
4f0e9c7a0f486409705def7d5e6987f44e9d9863edeef84fc95c1d1833e3a6cc

SHA512
8cb1e11462a90010077c7741ee1536885daa0b766b492ffa04cd4c4fe0e64a23b74b3062cc4a56867dd47ab3dbdb6af5f135e4d7fdda2d24a1a3336c2b98374c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
59539dfabfa2083926656def5d8b23fa

SHA1
3848e3a43453c4cd02a661d63906ab48184e4c8a

SHA256
ecd17d7847845102a30a3f4afa2b751ab081a377b0b779fadc024495ac4fb57b

SHA512
6cf6f411523bd3e507bc8a742daa9b9b32aef2c0a6c73f64478d3e1ea81d6fb9d42ab87e50e1eecf3816789bfb23ffd156d8a29f902ddf619e666567bfc520f3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
83aacb481d53226c6ab9634260a1dd20

SHA1
7fc1b66801b02d63dc6c3e8853a86d2ecd38d3d6

SHA256
98368999ae0e106632a5f6140cf4ca9a32dad29cc38d0c80e5cc56e761235034

SHA512
558323957856b231ee31734e3d68a229f28e8a2d551292596e06bb138c87929fc24fd57e9af98f0b44b01a32815471109e11123c2390ef0ccd594fdd03c309ed

Download Submit
\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
\Users\Admin\AppData\Local\Temp\3539623647\update.exe

Filesize
72KB

MD5
6bc676483b91aff3cb159f1c83ab7de6

SHA1
0ec1cd17e312d0c47e11f82ffe7165fffb347914

SHA256
85bb310b5d84270083c0eefe0690890fe728af98eb6bef6ec456c4c9097f997a

SHA512
e3b86d314e330492e2046ef61b59a673963d580c1b98bd45e94dbecce3fec6569276492a6be7493ceada554650c9d52d9f7af26cd73587de35fa20856dc09c02

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
381094b452ac5956ce13fc0378929fe4

SHA1
165a31d1d71ecde09f26bf1314c9b7fa8306ad42

SHA256
723efba6769201f256b214cd5999c3bf099eade2defdcac56038687da63890dc

SHA512
db795cfba29c84fc9acc8353a2753278776467ac2369e2204d10548272a71d432b2c0c78a0bd1ed58944c85b44ac24dab6b061a3cc6ca14594066da37f76d1dc

Download Submit
memory/1552-103-0x0000000074211000-0x0000000074213000-memory.dmp

Filesize
8KB

Download
memory/1760-60-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads