4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9

Analysis

max time kernel
57s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
Size

72KB
MD5

003be99ab2bf79ccbd68b15a6d933e2a
SHA1

d08556440c3955e2845f274a6b227bf4cc45bbd1
SHA256

4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9
SHA512

6c4995e6691374072e6eca0066123f56637563d686b1545b4409a1c6d95beb73b7bfc88723b789dd526ece308ada465d2cad69cdf0405250960a4f32f9ea6aaa
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2c:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPI

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
940	backup.exe
584	backup.exe
528	backup.exe
1332	backup.exe
1200	backup.exe
1656	update.exe
1732	backup.exe
760	backup.exe
1060	backup.exe
2040	backup.exe
1476	backup.exe
1116	update.exe
2000	backup.exe
1724	backup.exe
1104	backup.exe
964	backup.exe
1984	backup.exe
1616	backup.exe
1248	backup.exe
584	backup.exe
688	update.exe
1664	backup.exe
824	backup.exe
1660	backup.exe
1792	backup.exe
1072	backup.exe
1540	backup.exe
1144	backup.exe
1156	backup.exe
1940	backup.exe
1176	backup.exe
2036	backup.exe
1420	backup.exe
1928	backup.exe
1948	backup.exe
796	backup.exe
1684	backup.exe
1600	backup.exe
952	backup.exe
1364	backup.exe
1488	update.exe
1980	backup.exe
892	backup.exe
964	backup.exe
1588	backup.exe
1652	backup.exe
896	backup.exe
1192	backup.exe
1496	data.exe
688	backup.exe
1664	backup.exe
824	backup.exe
1660	backup.exe
1792	backup.exe
1072	backup.exe
1540	backup.exe
1144	backup.exe
1672	backup.exe
1944	backup.exe
1908	backup.exe
1548	backup.exe
2044	update.exe
1820	data.exe
1012	data.exe

Loads dropped DLL 64 IoCs

pid	Process
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1656	update.exe
1656	update.exe
1656	update.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
760	backup.exe
760	backup.exe
1060	backup.exe
1060	backup.exe
760	backup.exe
760	backup.exe
1476	backup.exe
1116	update.exe
1116	update.exe
1116	update.exe
1116	update.exe
1116	update.exe
2000	backup.exe
2000	backup.exe
2000	backup.exe
1476	backup.exe
1476	backup.exe
1724	backup.exe
1724	backup.exe
1104	backup.exe
1104	backup.exe
1104	backup.exe
1104	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
688	update.exe
688	update.exe
688	update.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe
1984	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
940	backup.exe
584	backup.exe
528	backup.exe
1332	backup.exe
1200	backup.exe
1656	update.exe
1732	backup.exe
760	backup.exe
1060	backup.exe
2040	backup.exe
1476	backup.exe
1116	update.exe
2000	backup.exe
1724	backup.exe
1104	backup.exe
964	backup.exe
1984	backup.exe
1616	backup.exe
1248	backup.exe
584	backup.exe
688	update.exe
1664	backup.exe
824	backup.exe
1660	backup.exe
1792	backup.exe
1072	backup.exe
1540	backup.exe
1144	backup.exe
1156	backup.exe
1940	backup.exe
1176	backup.exe
2036	backup.exe
1420	backup.exe
1928	backup.exe
1948	backup.exe
796	backup.exe
1684	backup.exe
1600	backup.exe
952	backup.exe
1364	backup.exe
1488	update.exe
1980	backup.exe
892	backup.exe
964	backup.exe
1588	backup.exe
1652	backup.exe
896	backup.exe
1192	backup.exe
1496	data.exe
688	backup.exe
1664	backup.exe
824	backup.exe
1660	backup.exe
1792	backup.exe
1072	backup.exe
1540	backup.exe
1144	backup.exe
1672	backup.exe
1944	backup.exe
1908	backup.exe
1548	backup.exe
2044	update.exe
1820	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 940	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	27
PID 1232 wrote to memory of 940	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	27
PID 1232 wrote to memory of 940	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	27
PID 1232 wrote to memory of 940	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	27
PID 1232 wrote to memory of 584	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	28
PID 1232 wrote to memory of 584	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	28
PID 1232 wrote to memory of 584	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	28
PID 1232 wrote to memory of 584	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	28
PID 1232 wrote to memory of 528	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	29
PID 1232 wrote to memory of 528	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	29
PID 1232 wrote to memory of 528	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	29
PID 1232 wrote to memory of 528	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	29
PID 1232 wrote to memory of 1332	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	30
PID 1232 wrote to memory of 1332	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	30
PID 1232 wrote to memory of 1332	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	30
PID 1232 wrote to memory of 1332	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	30
PID 1232 wrote to memory of 1200	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	31
PID 1232 wrote to memory of 1200	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	31
PID 1232 wrote to memory of 1200	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	31
PID 1232 wrote to memory of 1200	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	31
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1656	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	32
PID 1232 wrote to memory of 1732	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	33
PID 1232 wrote to memory of 1732	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	33
PID 1232 wrote to memory of 1732	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	33
PID 1232 wrote to memory of 1732	1232	4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe	33
PID 940 wrote to memory of 760	940	backup.exe	34
PID 940 wrote to memory of 760	940	backup.exe	34
PID 940 wrote to memory of 760	940	backup.exe	34
PID 940 wrote to memory of 760	940	backup.exe	34
PID 760 wrote to memory of 1060	760	backup.exe	35
PID 760 wrote to memory of 1060	760	backup.exe	35
PID 760 wrote to memory of 1060	760	backup.exe	35
PID 760 wrote to memory of 1060	760	backup.exe	35
PID 1060 wrote to memory of 2040	1060	backup.exe	36
PID 1060 wrote to memory of 2040	1060	backup.exe	36
PID 1060 wrote to memory of 2040	1060	backup.exe	36
PID 1060 wrote to memory of 2040	1060	backup.exe	36
PID 760 wrote to memory of 1476	760	backup.exe	37
PID 760 wrote to memory of 1476	760	backup.exe	37
PID 760 wrote to memory of 1476	760	backup.exe	37
PID 760 wrote to memory of 1476	760	backup.exe	37
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1476 wrote to memory of 1116	1476	backup.exe	38
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1116 wrote to memory of 2000	1116	update.exe	39
PID 1476 wrote to memory of 1724	1476	backup.exe	40
PID 1476 wrote to memory of 1724	1476	backup.exe	40
PID 1476 wrote to memory of 1724	1476	backup.exe	40

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe
"C:\Users\Admin\AppData\Local\Temp\4822d9fb8fac5ed4e16938ebdf28c7ccc1605f82e91ff1a53ca7bf12b38daca9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\1759997982\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1759997982\backup.exe C:\Users\Admin\AppData\Local\Temp\1759997982\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1116
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2000
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1268
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1748
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2008
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1752
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:860
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1332
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:304
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1028
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1732
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1404
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1808
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1504
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1720
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1792
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1740
        
        C:\Program Files\Common Files\System\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1536
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1892
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1056
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2092
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1540
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1592
      - C:\Program Files\DVD Maker\en-US\System Restore.exe
        
        "C:\Program Files\DVD Maker\en-US\System Restore.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:1884
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1984
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2000
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:1012
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        System policy modification
        
        PID:892
      - C:\Program Files\DVD Maker\Shared\data.exe
        
        "C:\Program Files\DVD Maker\Shared\data.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1168
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1192
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1524
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1512
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1664
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1364
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1496
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1504
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1088
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1712
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1876
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2128
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1612
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1568
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1928
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1708
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1932
      - C:\Program Files\Microsoft Games\FreeCell\data.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\data.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1400
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2100
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1072
    - - C:\Program Files\Mozilla Firefox\data.exe
        
        "C:\Program Files\Mozilla Firefox\data.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1576
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1824
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1272
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1616
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:664
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1220
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:800
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Drops file in Windows directory
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1192
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1472
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1488
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2108
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:796
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1156
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1320
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:576
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1256
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1944
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1548
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1104
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:664
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2120
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1644
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:952
    - - C:\Program Files (x86)\Microsoft Office\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\update.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1584
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1176
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:984
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2084
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1908
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1884
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1708
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1560
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1524
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1144
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1752
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:112
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1496
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:676
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2056
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1940
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:544
    - - C:\Windows\addins\data.exe
        
        C:\Windows\addins\data.exe C:\Windows\addins\
        5⤵
        
        PID:596
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1648
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1692
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:944
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:628
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2076
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:584
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:528
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
097617eece569596899ecb7472811259

SHA1
28e59dc7488d813c6c4e10880fba6a66f8bbb5f9

SHA256
9385f74cacab0e222dfcc9f2b7530891add7abad37fa7b65d7d2f8b441ab6964

SHA512
0befb4218a9cdafc598af9cf0b0b772f836245b437479e7e51d319126f6d32423c29f45c5ed0bf708e83009b56e41870176355517a83ca1256afdcae01214bf5

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
4d9c85e039f9d41b5b9aa7734e9cc600

SHA1
f97e02198230e427e9ec447770844e54ec98191d

SHA256
0ae1a5886021771ba40c4ad22cf8fa58a615afc45ed608e0ac9b974dc0ced43b

SHA512
b2de97633a2ee38b6d0ea062b6e0c8f9d46f4d5fd89baff88f7ec299c108bd6852d84be218fe6e73ef091b5c7a3bf061c368560bd93990598914914d9784e240

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
4d9c85e039f9d41b5b9aa7734e9cc600

SHA1
f97e02198230e427e9ec447770844e54ec98191d

SHA256
0ae1a5886021771ba40c4ad22cf8fa58a615afc45ed608e0ac9b974dc0ced43b

SHA512
b2de97633a2ee38b6d0ea062b6e0c8f9d46f4d5fd89baff88f7ec299c108bd6852d84be218fe6e73ef091b5c7a3bf061c368560bd93990598914914d9784e240

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1c9d79dd68c4572756832f24e321477a

SHA1
ec08f4e1334edee14d150e5b2780794188022504

SHA256
3fae5a5afe7c42a9d13c9338ed1b8cb9b00b3faf04479e242faa1db0c1fd6ca1

SHA512
8db0cfaef501661a97e4a649d83b4aaee591f0b7a81cae43029ffab03e5b5be9a3b3a4a71f535d355074b36f35d154904aa1055c789309c24c3619f465b98ee1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9c1d286a63ff04d9d3b384401edf517e

SHA1
59f0389b527694b0cfa9fbfc89b1ab1cf889983c

SHA256
6b44aef6628170201e1df6ce95cc65971d3810d0a984cf40fa71b90be4fb119a

SHA512
adb278df62b0c28c35511e09acd2c5aac2f3d3bdc2323d28ba87cce7bf5bd2a4ddf2ee6b19552694482cd7112251ce64f59bb0687c0147030dc624b63fe2dbd0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9c1d286a63ff04d9d3b384401edf517e

SHA1
59f0389b527694b0cfa9fbfc89b1ab1cf889983c

SHA256
6b44aef6628170201e1df6ce95cc65971d3810d0a984cf40fa71b90be4fb119a

SHA512
adb278df62b0c28c35511e09acd2c5aac2f3d3bdc2323d28ba87cce7bf5bd2a4ddf2ee6b19552694482cd7112251ce64f59bb0687c0147030dc624b63fe2dbd0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d16b0afae8a06909d91e0aeaa6ae65ab

SHA1
e6b0c18af3ce78e0c97e32a4665cb3b533041f1c

SHA256
93e6305829b643a40831aa7c50e94ac3e42a8fe471ba470832d6880f2e6dc72c

SHA512
7b9deb28f02ed34a9d24aa2572b5fa96301d55fc5910270b9a64b2c44b5bf2cb6bae2ac0f2cadc7103c764979aa80caae0bf5d60b2b81610cf9c3cdd3b9754ab

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d16b0afae8a06909d91e0aeaa6ae65ab

SHA1
e6b0c18af3ce78e0c97e32a4665cb3b533041f1c

SHA256
93e6305829b643a40831aa7c50e94ac3e42a8fe471ba470832d6880f2e6dc72c

SHA512
7b9deb28f02ed34a9d24aa2572b5fa96301d55fc5910270b9a64b2c44b5bf2cb6bae2ac0f2cadc7103c764979aa80caae0bf5d60b2b81610cf9c3cdd3b9754ab

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ae0db74f8a6ea048f30a718f699f98e

SHA1
11c64d96efc047075284060439ebddff1962ce6f

SHA256
7a80a069d14d6ce99f9eeaf78217761dc9e4ce56222cd53fbb617cce49c022cb

SHA512
429f7a5125dc9aa672b36d5939042fc490c618f9b52f8dc13aeb81ea670065f2f20510ef8f80416881741d523ee626b3c1b6437aa42209956384df78557974e9

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ae0db74f8a6ea048f30a718f699f98e

SHA1
11c64d96efc047075284060439ebddff1962ce6f

SHA256
7a80a069d14d6ce99f9eeaf78217761dc9e4ce56222cd53fbb617cce49c022cb

SHA512
429f7a5125dc9aa672b36d5939042fc490c618f9b52f8dc13aeb81ea670065f2f20510ef8f80416881741d523ee626b3c1b6437aa42209956384df78557974e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1759997982\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1759997982\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
C:\backup.exe

Filesize
72KB

MD5
b6bd264f80793876253e97957bcd2696

SHA1
5e86c9638504aa6813d12e53a445b503ed9602aa

SHA256
810f952c93598b6f9ff4d0350fa56cfcf94a4499f4b5c72b08f27510d005df48

SHA512
bd1f2b37c0238cb281cd90ba106b12f765b8620cb39ab06fcc5b43c2bb3db18c54f6fc64047c412e879e2ad5c7e2a9600d86d1eb5e8c86e538f8e5f21c0f681e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
b6bd264f80793876253e97957bcd2696

SHA1
5e86c9638504aa6813d12e53a445b503ed9602aa

SHA256
810f952c93598b6f9ff4d0350fa56cfcf94a4499f4b5c72b08f27510d005df48

SHA512
bd1f2b37c0238cb281cd90ba106b12f765b8620cb39ab06fcc5b43c2bb3db18c54f6fc64047c412e879e2ad5c7e2a9600d86d1eb5e8c86e538f8e5f21c0f681e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
097617eece569596899ecb7472811259

SHA1
28e59dc7488d813c6c4e10880fba6a66f8bbb5f9

SHA256
9385f74cacab0e222dfcc9f2b7530891add7abad37fa7b65d7d2f8b441ab6964

SHA512
0befb4218a9cdafc598af9cf0b0b772f836245b437479e7e51d319126f6d32423c29f45c5ed0bf708e83009b56e41870176355517a83ca1256afdcae01214bf5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
097617eece569596899ecb7472811259

SHA1
28e59dc7488d813c6c4e10880fba6a66f8bbb5f9

SHA256
9385f74cacab0e222dfcc9f2b7530891add7abad37fa7b65d7d2f8b441ab6964

SHA512
0befb4218a9cdafc598af9cf0b0b772f836245b437479e7e51d319126f6d32423c29f45c5ed0bf708e83009b56e41870176355517a83ca1256afdcae01214bf5

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
4d9c85e039f9d41b5b9aa7734e9cc600

SHA1
f97e02198230e427e9ec447770844e54ec98191d

SHA256
0ae1a5886021771ba40c4ad22cf8fa58a615afc45ed608e0ac9b974dc0ced43b

SHA512
b2de97633a2ee38b6d0ea062b6e0c8f9d46f4d5fd89baff88f7ec299c108bd6852d84be218fe6e73ef091b5c7a3bf061c368560bd93990598914914d9784e240

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
4d9c85e039f9d41b5b9aa7734e9cc600

SHA1
f97e02198230e427e9ec447770844e54ec98191d

SHA256
0ae1a5886021771ba40c4ad22cf8fa58a615afc45ed608e0ac9b974dc0ced43b

SHA512
b2de97633a2ee38b6d0ea062b6e0c8f9d46f4d5fd89baff88f7ec299c108bd6852d84be218fe6e73ef091b5c7a3bf061c368560bd93990598914914d9784e240

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c5d85444e8e28204e39ed24289a3dad6

SHA1
ed6394574907752acf1885e834e5615ab5b327b9

SHA256
e88f1fa4e9f46c2a700ae9ac517c323411ad144f3c5719550fa3d629127e4959

SHA512
01183a4ea6ca99d25b1db39dad424afa087ecd0a82334bcf5b42b03bd37e48633cbc2501e4eecbe71ff2fa2ba8b05cb0e624c2d083cf0067ab6b604eb49326ba

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
\Program Files\7-Zip\update.exe

Filesize
72KB

MD5
77c62ced5b63248aa524099f93c055c5

SHA1
562a998647ef4d04b37a953c19f9725b944e69bd

SHA256
12da1a0fbcf3054998bf67151f4db052cf372f5e2912d554e48b38458b2b961a

SHA512
c4a99bc6a846bc78725c1ad99532561821ca6a4a5d8c072bda5652173e1dd948f454f180db707976177e0d615323b43ef85c68f17d9ba221328cb0c45c646e38

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1c9d79dd68c4572756832f24e321477a

SHA1
ec08f4e1334edee14d150e5b2780794188022504

SHA256
3fae5a5afe7c42a9d13c9338ed1b8cb9b00b3faf04479e242faa1db0c1fd6ca1

SHA512
8db0cfaef501661a97e4a649d83b4aaee591f0b7a81cae43029ffab03e5b5be9a3b3a4a71f535d355074b36f35d154904aa1055c789309c24c3619f465b98ee1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
1c9d79dd68c4572756832f24e321477a

SHA1
ec08f4e1334edee14d150e5b2780794188022504

SHA256
3fae5a5afe7c42a9d13c9338ed1b8cb9b00b3faf04479e242faa1db0c1fd6ca1

SHA512
8db0cfaef501661a97e4a649d83b4aaee591f0b7a81cae43029ffab03e5b5be9a3b3a4a71f535d355074b36f35d154904aa1055c789309c24c3619f465b98ee1

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9c1d286a63ff04d9d3b384401edf517e

SHA1
59f0389b527694b0cfa9fbfc89b1ab1cf889983c

SHA256
6b44aef6628170201e1df6ce95cc65971d3810d0a984cf40fa71b90be4fb119a

SHA512
adb278df62b0c28c35511e09acd2c5aac2f3d3bdc2323d28ba87cce7bf5bd2a4ddf2ee6b19552694482cd7112251ce64f59bb0687c0147030dc624b63fe2dbd0

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
9c1d286a63ff04d9d3b384401edf517e

SHA1
59f0389b527694b0cfa9fbfc89b1ab1cf889983c

SHA256
6b44aef6628170201e1df6ce95cc65971d3810d0a984cf40fa71b90be4fb119a

SHA512
adb278df62b0c28c35511e09acd2c5aac2f3d3bdc2323d28ba87cce7bf5bd2a4ddf2ee6b19552694482cd7112251ce64f59bb0687c0147030dc624b63fe2dbd0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1c9d79dd68c4572756832f24e321477a

SHA1
ec08f4e1334edee14d150e5b2780794188022504

SHA256
3fae5a5afe7c42a9d13c9338ed1b8cb9b00b3faf04479e242faa1db0c1fd6ca1

SHA512
8db0cfaef501661a97e4a649d83b4aaee591f0b7a81cae43029ffab03e5b5be9a3b3a4a71f535d355074b36f35d154904aa1055c789309c24c3619f465b98ee1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1c9d79dd68c4572756832f24e321477a

SHA1
ec08f4e1334edee14d150e5b2780794188022504

SHA256
3fae5a5afe7c42a9d13c9338ed1b8cb9b00b3faf04479e242faa1db0c1fd6ca1

SHA512
8db0cfaef501661a97e4a649d83b4aaee591f0b7a81cae43029ffab03e5b5be9a3b3a4a71f535d355074b36f35d154904aa1055c789309c24c3619f465b98ee1

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d16b0afae8a06909d91e0aeaa6ae65ab

SHA1
e6b0c18af3ce78e0c97e32a4665cb3b533041f1c

SHA256
93e6305829b643a40831aa7c50e94ac3e42a8fe471ba470832d6880f2e6dc72c

SHA512
7b9deb28f02ed34a9d24aa2572b5fa96301d55fc5910270b9a64b2c44b5bf2cb6bae2ac0f2cadc7103c764979aa80caae0bf5d60b2b81610cf9c3cdd3b9754ab

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d16b0afae8a06909d91e0aeaa6ae65ab

SHA1
e6b0c18af3ce78e0c97e32a4665cb3b533041f1c

SHA256
93e6305829b643a40831aa7c50e94ac3e42a8fe471ba470832d6880f2e6dc72c

SHA512
7b9deb28f02ed34a9d24aa2572b5fa96301d55fc5910270b9a64b2c44b5bf2cb6bae2ac0f2cadc7103c764979aa80caae0bf5d60b2b81610cf9c3cdd3b9754ab

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ae0db74f8a6ea048f30a718f699f98e

SHA1
11c64d96efc047075284060439ebddff1962ce6f

SHA256
7a80a069d14d6ce99f9eeaf78217761dc9e4ce56222cd53fbb617cce49c022cb

SHA512
429f7a5125dc9aa672b36d5939042fc490c618f9b52f8dc13aeb81ea670065f2f20510ef8f80416881741d523ee626b3c1b6437aa42209956384df78557974e9

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ae0db74f8a6ea048f30a718f699f98e

SHA1
11c64d96efc047075284060439ebddff1962ce6f

SHA256
7a80a069d14d6ce99f9eeaf78217761dc9e4ce56222cd53fbb617cce49c022cb

SHA512
429f7a5125dc9aa672b36d5939042fc490c618f9b52f8dc13aeb81ea670065f2f20510ef8f80416881741d523ee626b3c1b6437aa42209956384df78557974e9

Download Submit
\Users\Admin\AppData\Local\Temp\1759997982\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
\Users\Admin\AppData\Local\Temp\1759997982\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
17498a44da9c0039e0b1ba9765ac86e5

SHA1
c56d6d58bb2a69b6af97aee7de0b3513abe44889

SHA256
e89fac2429b2c7e429f989080bc4dc524bb14c4c779abe911cdc0102872b1318

SHA512
686e9b78bc53d29f2b8fb0c4050e8b6d382a803b88510ca5874e5af8a63690738503eb0f14adc5a6e7dfc4ae3e3156c4c05626a35a9494a27874e3ec9feb237b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
72KB

MD5
d685c9abc35168a9feaf36e59db89c55

SHA1
8e74919880a5621140424aa88454fb0e5aaff8b9

SHA256
d6077b5194e1a31d2f3e4f60e124c476003641b9c4d0dbbfd4c1a3c8fb874d7a

SHA512
e48699f4addb2a6384268a57b84ed31d8f2c043108dac05ce0243c51f304ce2f0969b3a5cf2934e4481846e43a6361ed289739b8513b72767493075cc941a053

Download Submit
memory/1232-178-0x0000000073FC1000-0x0000000073FC3000-memory.dmp

Filesize
8KB

Download
memory/1656-90-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads