23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7

Analysis

max time kernel
106s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
Size

72KB
MD5

0cf8cc5da5a0454de0b7fdae35d99c1b
SHA1

a1da615c2ef73856e97529b704a2e37a076b2be8
SHA256

23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7
SHA512

e526875d6ae66fbdeea599057d7873b3e40e7e285ac1b706a79a4e4626d389da469f6d4b14ff7459828634440c83ecc80286e5cbedbc1e3366dc0f73bc8da0f0
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2p:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPd

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1788	backup.exe
1712	backup.exe
916	backup.exe
1432	backup.exe
1244	backup.exe
1076	backup.exe
524	backup.exe
1084	backup.exe
1324	backup.exe
1296	backup.exe
1592	backup.exe
1752	backup.exe
1036	backup.exe
1488	backup.exe
1128	backup.exe
980	backup.exe
1588	data.exe
1492	backup.exe
1712	backup.exe
1228	backup.exe
1452	backup.exe
1184	backup.exe
2040	data.exe
1224	System Restore.exe
1936	backup.exe
1428	backup.exe
1220	backup.exe
316	backup.exe
1836	backup.exe
1088	backup.exe
1672	backup.exe
796	backup.exe
848	System Restore.exe
1924	backup.exe
1584	backup.exe
1000	backup.exe
1444	backup.exe
564	System Restore.exe
1192	backup.exe
556	backup.exe
964	backup.exe
984	backup.exe
1456	backup.exe
1956	backup.exe
2028	backup.exe
1492	backup.exe
912	data.exe
1736	backup.exe
1180	backup.exe
1756	data.exe
2036	backup.exe
1648	backup.exe
1656	backup.exe
1892	backup.exe
1468	backup.exe
1948	System Restore.exe
316	backup.exe
576	backup.exe
1968	backup.exe
1672	backup.exe
1896	backup.exe
1636	backup.exe
700	backup.exe
1216	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
1084	backup.exe
1084	backup.exe
1324	backup.exe
1324	backup.exe
1084	backup.exe
1084	backup.exe
1592	backup.exe
1592	backup.exe
1752	backup.exe
1752	backup.exe
1592	backup.exe
1592	backup.exe
1488	backup.exe
1488	backup.exe
1128	backup.exe
1128	backup.exe
1128	backup.exe
1128	backup.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1588	data.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe
1836	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\data.exe	backup.exe
File opened for modification	C:\Windows\addins\update.exe	data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
1788	backup.exe
1712	backup.exe
916	backup.exe
1432	backup.exe
1244	backup.exe
1076	backup.exe
524	backup.exe
1084	backup.exe
1324	backup.exe
1296	backup.exe
1592	backup.exe
1752	backup.exe
1036	backup.exe
1488	backup.exe
1128	backup.exe
980	backup.exe
1588	data.exe
1492	backup.exe
1712	backup.exe
1228	backup.exe
1452	backup.exe
1184	backup.exe
2040	data.exe
1224	System Restore.exe
1936	backup.exe
1428	backup.exe
1220	backup.exe
316	backup.exe
1836	backup.exe
1088	backup.exe
1672	backup.exe
796	backup.exe
848	System Restore.exe
1924	backup.exe
1584	backup.exe
1000	backup.exe
1444	backup.exe
564	System Restore.exe
1192	backup.exe
556	backup.exe
964	backup.exe
984	backup.exe
1456	backup.exe
1956	backup.exe
2028	backup.exe
1492	backup.exe
912	data.exe
1736	backup.exe
1180	backup.exe
1756	data.exe
2036	backup.exe
1648	backup.exe
1656	backup.exe
1468	backup.exe
1892	backup.exe
316	backup.exe
1948	System Restore.exe
576	backup.exe
1968	backup.exe
1896	backup.exe
1636	backup.exe
1672	backup.exe
700	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1788	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	28
PID 536 wrote to memory of 1788	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	28
PID 536 wrote to memory of 1788	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	28
PID 536 wrote to memory of 1788	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	28
PID 536 wrote to memory of 1712	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	29
PID 536 wrote to memory of 1712	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	29
PID 536 wrote to memory of 1712	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	29
PID 536 wrote to memory of 1712	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	29
PID 536 wrote to memory of 916	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	30
PID 536 wrote to memory of 916	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	30
PID 536 wrote to memory of 916	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	30
PID 536 wrote to memory of 916	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	30
PID 536 wrote to memory of 1432	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	31
PID 536 wrote to memory of 1432	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	31
PID 536 wrote to memory of 1432	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	31
PID 536 wrote to memory of 1432	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	31
PID 536 wrote to memory of 1244	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	32
PID 536 wrote to memory of 1244	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	32
PID 536 wrote to memory of 1244	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	32
PID 536 wrote to memory of 1244	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	32
PID 536 wrote to memory of 1076	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	33
PID 536 wrote to memory of 1076	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	33
PID 536 wrote to memory of 1076	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	33
PID 536 wrote to memory of 1076	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	33
PID 536 wrote to memory of 524	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	34
PID 536 wrote to memory of 524	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	34
PID 536 wrote to memory of 524	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	34
PID 536 wrote to memory of 524	536	23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe	34
PID 1788 wrote to memory of 1084	1788	backup.exe	35
PID 1788 wrote to memory of 1084	1788	backup.exe	35
PID 1788 wrote to memory of 1084	1788	backup.exe	35
PID 1788 wrote to memory of 1084	1788	backup.exe	35
PID 1084 wrote to memory of 1324	1084	backup.exe	36
PID 1084 wrote to memory of 1324	1084	backup.exe	36
PID 1084 wrote to memory of 1324	1084	backup.exe	36
PID 1084 wrote to memory of 1324	1084	backup.exe	36
PID 1324 wrote to memory of 1296	1324	backup.exe	37
PID 1324 wrote to memory of 1296	1324	backup.exe	37
PID 1324 wrote to memory of 1296	1324	backup.exe	37
PID 1324 wrote to memory of 1296	1324	backup.exe	37
PID 1084 wrote to memory of 1592	1084	backup.exe	38
PID 1084 wrote to memory of 1592	1084	backup.exe	38
PID 1084 wrote to memory of 1592	1084	backup.exe	38
PID 1084 wrote to memory of 1592	1084	backup.exe	38
PID 1592 wrote to memory of 1752	1592	backup.exe	39
PID 1592 wrote to memory of 1752	1592	backup.exe	39
PID 1592 wrote to memory of 1752	1592	backup.exe	39
PID 1592 wrote to memory of 1752	1592	backup.exe	39
PID 1752 wrote to memory of 1036	1752	backup.exe	40
PID 1752 wrote to memory of 1036	1752	backup.exe	40
PID 1752 wrote to memory of 1036	1752	backup.exe	40
PID 1752 wrote to memory of 1036	1752	backup.exe	40
PID 1592 wrote to memory of 1488	1592	backup.exe	41
PID 1592 wrote to memory of 1488	1592	backup.exe	41
PID 1592 wrote to memory of 1488	1592	backup.exe	41
PID 1592 wrote to memory of 1488	1592	backup.exe	41
PID 1488 wrote to memory of 1128	1488	backup.exe	42
PID 1488 wrote to memory of 1128	1488	backup.exe	42
PID 1488 wrote to memory of 1128	1488	backup.exe	42
PID 1488 wrote to memory of 1128	1488	backup.exe	42
PID 1128 wrote to memory of 980	1128	backup.exe	43
PID 1128 wrote to memory of 980	1128	backup.exe	43
PID 1128 wrote to memory of 980	1128	backup.exe	43
PID 1128 wrote to memory of 980	1128	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe
"C:\Users\Admin\AppData\Local\Temp\23f41cff083f16c913318b6458f7cda9c99c923f4a12217c90c41757500637e7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\1863139266\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1863139266\backup.exe C:\Users\Admin\AppData\Local\Temp\1863139266\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1788
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1084
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1592
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1220
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1040
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1936
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1268
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2040
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:672
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1972
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:524
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1964
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1904
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:776
        
        C:\Program Files\Common Files\System\en-US\data.exe
        
        "C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1404
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1896
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:748
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:872
      - C:\Program Files\DVD Maker\en-US\update.exe
        
        "C:\Program Files\DVD Maker\en-US\update.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2012
      - C:\Program Files\DVD Maker\es-ES\System Restore.exe
        
        "C:\Program Files\DVD Maker\es-ES\System Restore.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1784
      - C:\Program Files\DVD Maker\fr-FR\update.exe
        
        "C:\Program Files\DVD Maker\fr-FR\update.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1924
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:584
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1236
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1484
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:980
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1800
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1948
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:288
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1504
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1780
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:956
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:840
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1472
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        System policy modification
        
        PID:1784
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1776
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1268
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1676
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:564
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1636
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1744
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1068
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:856
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1648
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1892
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:316
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        System policy modification
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1428
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1472
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:268
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:956
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1244
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1324
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1268
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1140
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:688
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1136
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1696
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1948
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:596
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1936
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1916
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1720
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1960
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1552
      - C:\Program Files (x86)\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\update.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1184
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1228
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      PID:1708
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1452
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1688
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:552
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1216
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:1032
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1360
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1136
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1432
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1228
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1192
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1468
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1688
  - - C:\Windows\data.exe
      C:\Windows\data.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      System policy modification
      PID:1000
    - - C:\Windows\addins\update.exe
        
        C:\Windows\addins\update.exe C:\Windows\addins\
        5⤵
        
        PID:432
    - - C:\Windows\AppCompat\System Restore.exe
        
        "C:\Windows\AppCompat\System Restore.exe" C:\Windows\AppCompat\
        5⤵
        
        PID:2008
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:316
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
86d23035f64957136bd52d9517e36b65

SHA1
4854558ca06f96b31a782d97a072dcd83888841b

SHA256
8d6ff9af11cb8789b10d8e2e908876cf9e3c1cf7478e9cc86041f3b9fd272788

SHA512
43a4d685682d83edd65b758b3d43fb09bcd0039994cffab094ec6e86de84d6bfa353d3adcbd8e617de59f2f1e4eb8f9c35ebdc8b120b15ba90274c1b23b71009

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9d9a872b0429fe51e0e0d5ab9212d006

SHA1
fd28b25304e61291392e3d6e940d630f14dcb17b

SHA256
b4cd26eb039df43cdeb81879ef58b2844ef083f08e26eee308601e5e8f81c444

SHA512
9465bc3e36ccffd5ed1f41ed7d2ae87fc782693f9c1a0a47acaba30ad094a05f78c9faf1a56eae6dc8624e2d64bd15b9ace4c76eafe52832f30e3331993245b8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
9d9a872b0429fe51e0e0d5ab9212d006

SHA1
fd28b25304e61291392e3d6e940d630f14dcb17b

SHA256
b4cd26eb039df43cdeb81879ef58b2844ef083f08e26eee308601e5e8f81c444

SHA512
9465bc3e36ccffd5ed1f41ed7d2ae87fc782693f9c1a0a47acaba30ad094a05f78c9faf1a56eae6dc8624e2d64bd15b9ace4c76eafe52832f30e3331993245b8

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
314dea4d380d1b0e134cabdc0d26ba44

SHA1
3bc6897504a5b6cfec9482cc8062bc91d155a54f

SHA256
8c9a109c6d5d698e341477c2449a67e1722d251f27ce6aa10ee4b1d12dc33d7b

SHA512
d5bd0e54efe9f8a1be89d9780609a8ba68b6347caa3a583876951670657e72bcc72a02b48ce6b24410181dd5d0f1082cb72ea9fab752af9494d396588ea34223

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fedbb0263acfcc9c803518857047cdd6

SHA1
9fb000aa57919a48f547dcb2dbf319785440ab36

SHA256
46e40c23e4b8203ffd96626ccdec40de65a76741e5f7736042b9fac9fc13d842

SHA512
0301ab2a4c43a71df67e0a8e070d55a6cfee969f20a5f757d0750935978a64612b9c221476c8bfb30af2397843d56bbed3dfffa1aaf0933b8d157a8822f5038d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fedbb0263acfcc9c803518857047cdd6

SHA1
9fb000aa57919a48f547dcb2dbf319785440ab36

SHA256
46e40c23e4b8203ffd96626ccdec40de65a76741e5f7736042b9fac9fc13d842

SHA512
0301ab2a4c43a71df67e0a8e070d55a6cfee969f20a5f757d0750935978a64612b9c221476c8bfb30af2397843d56bbed3dfffa1aaf0933b8d157a8822f5038d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68bd3541447781d429daa7fc6db1c416

SHA1
d2166708a83e9c8012e4734ac82a2f6a3066ba18

SHA256
6dae05d6304a64210efda7fd4e841d4bae8e5d480d58fbe3f04f1a58f169a800

SHA512
cd437d962ce430f92280c39a0e582dc87619711467838dd81bb7703e91fae38643df1996b5b7b246313c2c3c715f4a4ff70b1756c08b9c7d103ce4585275466f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
798e5647efd4ce836429e86e47cd0569

SHA1
52f22902e5204471381ccaa899e6a76e4f4a8a4f

SHA256
b119e2936974cd43d215c31c98f670e10dd2d4530c8cb6bfd2d3e808dd44af0b

SHA512
82371140854bde950405484a77557d31092bdecfdf112ec467813fc17af6bcab7deeb9ded77c21c0257ae26b5ef92e28e38b9ba7ef2bd485999713360f0dd7f4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
798e5647efd4ce836429e86e47cd0569

SHA1
52f22902e5204471381ccaa899e6a76e4f4a8a4f

SHA256
b119e2936974cd43d215c31c98f670e10dd2d4530c8cb6bfd2d3e808dd44af0b

SHA512
82371140854bde950405484a77557d31092bdecfdf112ec467813fc17af6bcab7deeb9ded77c21c0257ae26b5ef92e28e38b9ba7ef2bd485999713360f0dd7f4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
25df49d2ebdad6f8dc98abcb96ec2b01

SHA1
56224f0d1aeb36e80349132b076abd6375898a0b

SHA256
9113f26db52fa2832e5ab921c7df1f6d30948261a9ea52c50d3b11599eac0124

SHA512
c9aebc2ab78d043df0ab22021396a155f46843c6bdecaba2c7cc658008caacdc986631f3ef7d3bebc9b57f668159220cbf5a64d65fa5b364eb2bfc46b4d7c82e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
62509192a4aec6679a25fc6910cc5bde

SHA1
2148b42c6baebd585d4b653870b935c58d6fd681

SHA256
bf124e59c1c6cb57f6667c49bf749bf965852a717ed3089c396e3d2042e0bbbd

SHA512
85c48c5aff7b2599a1639ee9d6914ef9624736b1f97c58212b2491500e2f002c3b28562a7d21b34584d12b0baa51f9623049d067310598acd9627bdbe274e814

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
1d6303478759795edcd8658a64db7f2f

SHA1
8a01339938714a32aa53c74d0fd8504593e7fdc8

SHA256
27882bd7ac6c124fb613c27dd0c89bc64ec6a7a2f7d42093abbbfa799b618df3

SHA512
9ce9f809cefb97c759ec48ad2a41ac9d91d516e64319b9ba91a3b2f84691db759e091dc6bda2bc91abb8cd39bcb44b907bcd423580e246181645f44644e3bd6d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
1d6303478759795edcd8658a64db7f2f

SHA1
8a01339938714a32aa53c74d0fd8504593e7fdc8

SHA256
27882bd7ac6c124fb613c27dd0c89bc64ec6a7a2f7d42093abbbfa799b618df3

SHA512
9ce9f809cefb97c759ec48ad2a41ac9d91d516e64319b9ba91a3b2f84691db759e091dc6bda2bc91abb8cd39bcb44b907bcd423580e246181645f44644e3bd6d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
602bb9ad25e0e8347d8f8beacdf11609

SHA1
a1977c00e9527d95c570040404aba41986f3880e

SHA256
83b431006851e3c91a0de1d141588af4add906c985c18f6049d779124ab20ce4

SHA512
5f1c040792a8ba0dfe333944b9060df857a44e384bf4a2d17168af0c0e00bc7f2aeb35654e5bfe79b99f11f1b133d606e00bba72e027a897afbe53dd310ac888

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
602bb9ad25e0e8347d8f8beacdf11609

SHA1
a1977c00e9527d95c570040404aba41986f3880e

SHA256
83b431006851e3c91a0de1d141588af4add906c985c18f6049d779124ab20ce4

SHA512
5f1c040792a8ba0dfe333944b9060df857a44e384bf4a2d17168af0c0e00bc7f2aeb35654e5bfe79b99f11f1b133d606e00bba72e027a897afbe53dd310ac888

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
18b04960d82a906a60249d011181e33d

SHA1
eb7b9abcb94a69c4bab3bb88cf7dd633a543a0e5

SHA256
16f1cb53927529fb4a72cf591b57b953b1a3ad359928a1df44620b60331a2191

SHA512
ebf0b89fa8eedbc2ebbfe947b47924de418c8b95d53f29cefaa66f53f99ab1ba5dc2c5ef556dfc4d672ac5e944df254a37321afc9b1ba5efad13edb844719376

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
18b04960d82a906a60249d011181e33d

SHA1
eb7b9abcb94a69c4bab3bb88cf7dd633a543a0e5

SHA256
16f1cb53927529fb4a72cf591b57b953b1a3ad359928a1df44620b60331a2191

SHA512
ebf0b89fa8eedbc2ebbfe947b47924de418c8b95d53f29cefaa66f53f99ab1ba5dc2c5ef556dfc4d672ac5e944df254a37321afc9b1ba5efad13edb844719376

Download Submit
C:\Users\Admin\AppData\Local\Temp\1863139266\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1863139266\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
76198b0ec307931272e9a3929322585b

SHA1
b6a8e39d289159bcc433b54fc82a706ae65d6c36

SHA256
33af2b0ee0c358ae2d6128dad55b79fe430ac4cefd693b30f1b63a66abb0aec3

SHA512
6e96bb84df993f1cb4da5028b5b8a32db1a3d17781cacda64865488877d4a10d521bdc687b8575bfe3c5e1b5d49fb0ba19478292d4396f6cc8dd1ccc77fcc5a5

Download Submit
C:\backup.exe

Filesize
72KB

MD5
76198b0ec307931272e9a3929322585b

SHA1
b6a8e39d289159bcc433b54fc82a706ae65d6c36

SHA256
33af2b0ee0c358ae2d6128dad55b79fe430ac4cefd693b30f1b63a66abb0aec3

SHA512
6e96bb84df993f1cb4da5028b5b8a32db1a3d17781cacda64865488877d4a10d521bdc687b8575bfe3c5e1b5d49fb0ba19478292d4396f6cc8dd1ccc77fcc5a5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
86d23035f64957136bd52d9517e36b65

SHA1
4854558ca06f96b31a782d97a072dcd83888841b

SHA256
8d6ff9af11cb8789b10d8e2e908876cf9e3c1cf7478e9cc86041f3b9fd272788

SHA512
43a4d685682d83edd65b758b3d43fb09bcd0039994cffab094ec6e86de84d6bfa353d3adcbd8e617de59f2f1e4eb8f9c35ebdc8b120b15ba90274c1b23b71009

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
86d23035f64957136bd52d9517e36b65

SHA1
4854558ca06f96b31a782d97a072dcd83888841b

SHA256
8d6ff9af11cb8789b10d8e2e908876cf9e3c1cf7478e9cc86041f3b9fd272788

SHA512
43a4d685682d83edd65b758b3d43fb09bcd0039994cffab094ec6e86de84d6bfa353d3adcbd8e617de59f2f1e4eb8f9c35ebdc8b120b15ba90274c1b23b71009

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
9d9a872b0429fe51e0e0d5ab9212d006

SHA1
fd28b25304e61291392e3d6e940d630f14dcb17b

SHA256
b4cd26eb039df43cdeb81879ef58b2844ef083f08e26eee308601e5e8f81c444

SHA512
9465bc3e36ccffd5ed1f41ed7d2ae87fc782693f9c1a0a47acaba30ad094a05f78c9faf1a56eae6dc8624e2d64bd15b9ace4c76eafe52832f30e3331993245b8

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
9d9a872b0429fe51e0e0d5ab9212d006

SHA1
fd28b25304e61291392e3d6e940d630f14dcb17b

SHA256
b4cd26eb039df43cdeb81879ef58b2844ef083f08e26eee308601e5e8f81c444

SHA512
9465bc3e36ccffd5ed1f41ed7d2ae87fc782693f9c1a0a47acaba30ad094a05f78c9faf1a56eae6dc8624e2d64bd15b9ace4c76eafe52832f30e3331993245b8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
314dea4d380d1b0e134cabdc0d26ba44

SHA1
3bc6897504a5b6cfec9482cc8062bc91d155a54f

SHA256
8c9a109c6d5d698e341477c2449a67e1722d251f27ce6aa10ee4b1d12dc33d7b

SHA512
d5bd0e54efe9f8a1be89d9780609a8ba68b6347caa3a583876951670657e72bcc72a02b48ce6b24410181dd5d0f1082cb72ea9fab752af9494d396588ea34223

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
314dea4d380d1b0e134cabdc0d26ba44

SHA1
3bc6897504a5b6cfec9482cc8062bc91d155a54f

SHA256
8c9a109c6d5d698e341477c2449a67e1722d251f27ce6aa10ee4b1d12dc33d7b

SHA512
d5bd0e54efe9f8a1be89d9780609a8ba68b6347caa3a583876951670657e72bcc72a02b48ce6b24410181dd5d0f1082cb72ea9fab752af9494d396588ea34223

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fedbb0263acfcc9c803518857047cdd6

SHA1
9fb000aa57919a48f547dcb2dbf319785440ab36

SHA256
46e40c23e4b8203ffd96626ccdec40de65a76741e5f7736042b9fac9fc13d842

SHA512
0301ab2a4c43a71df67e0a8e070d55a6cfee969f20a5f757d0750935978a64612b9c221476c8bfb30af2397843d56bbed3dfffa1aaf0933b8d157a8822f5038d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fedbb0263acfcc9c803518857047cdd6

SHA1
9fb000aa57919a48f547dcb2dbf319785440ab36

SHA256
46e40c23e4b8203ffd96626ccdec40de65a76741e5f7736042b9fac9fc13d842

SHA512
0301ab2a4c43a71df67e0a8e070d55a6cfee969f20a5f757d0750935978a64612b9c221476c8bfb30af2397843d56bbed3dfffa1aaf0933b8d157a8822f5038d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68bd3541447781d429daa7fc6db1c416

SHA1
d2166708a83e9c8012e4734ac82a2f6a3066ba18

SHA256
6dae05d6304a64210efda7fd4e841d4bae8e5d480d58fbe3f04f1a58f169a800

SHA512
cd437d962ce430f92280c39a0e582dc87619711467838dd81bb7703e91fae38643df1996b5b7b246313c2c3c715f4a4ff70b1756c08b9c7d103ce4585275466f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
68bd3541447781d429daa7fc6db1c416

SHA1
d2166708a83e9c8012e4734ac82a2f6a3066ba18

SHA256
6dae05d6304a64210efda7fd4e841d4bae8e5d480d58fbe3f04f1a58f169a800

SHA512
cd437d962ce430f92280c39a0e582dc87619711467838dd81bb7703e91fae38643df1996b5b7b246313c2c3c715f4a4ff70b1756c08b9c7d103ce4585275466f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
798e5647efd4ce836429e86e47cd0569

SHA1
52f22902e5204471381ccaa899e6a76e4f4a8a4f

SHA256
b119e2936974cd43d215c31c98f670e10dd2d4530c8cb6bfd2d3e808dd44af0b

SHA512
82371140854bde950405484a77557d31092bdecfdf112ec467813fc17af6bcab7deeb9ded77c21c0257ae26b5ef92e28e38b9ba7ef2bd485999713360f0dd7f4

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
798e5647efd4ce836429e86e47cd0569

SHA1
52f22902e5204471381ccaa899e6a76e4f4a8a4f

SHA256
b119e2936974cd43d215c31c98f670e10dd2d4530c8cb6bfd2d3e808dd44af0b

SHA512
82371140854bde950405484a77557d31092bdecfdf112ec467813fc17af6bcab7deeb9ded77c21c0257ae26b5ef92e28e38b9ba7ef2bd485999713360f0dd7f4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
25df49d2ebdad6f8dc98abcb96ec2b01

SHA1
56224f0d1aeb36e80349132b076abd6375898a0b

SHA256
9113f26db52fa2832e5ab921c7df1f6d30948261a9ea52c50d3b11599eac0124

SHA512
c9aebc2ab78d043df0ab22021396a155f46843c6bdecaba2c7cc658008caacdc986631f3ef7d3bebc9b57f668159220cbf5a64d65fa5b364eb2bfc46b4d7c82e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
25df49d2ebdad6f8dc98abcb96ec2b01

SHA1
56224f0d1aeb36e80349132b076abd6375898a0b

SHA256
9113f26db52fa2832e5ab921c7df1f6d30948261a9ea52c50d3b11599eac0124

SHA512
c9aebc2ab78d043df0ab22021396a155f46843c6bdecaba2c7cc658008caacdc986631f3ef7d3bebc9b57f668159220cbf5a64d65fa5b364eb2bfc46b4d7c82e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
62509192a4aec6679a25fc6910cc5bde

SHA1
2148b42c6baebd585d4b653870b935c58d6fd681

SHA256
bf124e59c1c6cb57f6667c49bf749bf965852a717ed3089c396e3d2042e0bbbd

SHA512
85c48c5aff7b2599a1639ee9d6914ef9624736b1f97c58212b2491500e2f002c3b28562a7d21b34584d12b0baa51f9623049d067310598acd9627bdbe274e814

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
62509192a4aec6679a25fc6910cc5bde

SHA1
2148b42c6baebd585d4b653870b935c58d6fd681

SHA256
bf124e59c1c6cb57f6667c49bf749bf965852a717ed3089c396e3d2042e0bbbd

SHA512
85c48c5aff7b2599a1639ee9d6914ef9624736b1f97c58212b2491500e2f002c3b28562a7d21b34584d12b0baa51f9623049d067310598acd9627bdbe274e814

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
62509192a4aec6679a25fc6910cc5bde

SHA1
2148b42c6baebd585d4b653870b935c58d6fd681

SHA256
bf124e59c1c6cb57f6667c49bf749bf965852a717ed3089c396e3d2042e0bbbd

SHA512
85c48c5aff7b2599a1639ee9d6914ef9624736b1f97c58212b2491500e2f002c3b28562a7d21b34584d12b0baa51f9623049d067310598acd9627bdbe274e814

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
1d6303478759795edcd8658a64db7f2f

SHA1
8a01339938714a32aa53c74d0fd8504593e7fdc8

SHA256
27882bd7ac6c124fb613c27dd0c89bc64ec6a7a2f7d42093abbbfa799b618df3

SHA512
9ce9f809cefb97c759ec48ad2a41ac9d91d516e64319b9ba91a3b2f84691db759e091dc6bda2bc91abb8cd39bcb44b907bcd423580e246181645f44644e3bd6d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
1d6303478759795edcd8658a64db7f2f

SHA1
8a01339938714a32aa53c74d0fd8504593e7fdc8

SHA256
27882bd7ac6c124fb613c27dd0c89bc64ec6a7a2f7d42093abbbfa799b618df3

SHA512
9ce9f809cefb97c759ec48ad2a41ac9d91d516e64319b9ba91a3b2f84691db759e091dc6bda2bc91abb8cd39bcb44b907bcd423580e246181645f44644e3bd6d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
602bb9ad25e0e8347d8f8beacdf11609

SHA1
a1977c00e9527d95c570040404aba41986f3880e

SHA256
83b431006851e3c91a0de1d141588af4add906c985c18f6049d779124ab20ce4

SHA512
5f1c040792a8ba0dfe333944b9060df857a44e384bf4a2d17168af0c0e00bc7f2aeb35654e5bfe79b99f11f1b133d606e00bba72e027a897afbe53dd310ac888

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
602bb9ad25e0e8347d8f8beacdf11609

SHA1
a1977c00e9527d95c570040404aba41986f3880e

SHA256
83b431006851e3c91a0de1d141588af4add906c985c18f6049d779124ab20ce4

SHA512
5f1c040792a8ba0dfe333944b9060df857a44e384bf4a2d17168af0c0e00bc7f2aeb35654e5bfe79b99f11f1b133d606e00bba72e027a897afbe53dd310ac888

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
18b04960d82a906a60249d011181e33d

SHA1
eb7b9abcb94a69c4bab3bb88cf7dd633a543a0e5

SHA256
16f1cb53927529fb4a72cf591b57b953b1a3ad359928a1df44620b60331a2191

SHA512
ebf0b89fa8eedbc2ebbfe947b47924de418c8b95d53f29cefaa66f53f99ab1ba5dc2c5ef556dfc4d672ac5e944df254a37321afc9b1ba5efad13edb844719376

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
18b04960d82a906a60249d011181e33d

SHA1
eb7b9abcb94a69c4bab3bb88cf7dd633a543a0e5

SHA256
16f1cb53927529fb4a72cf591b57b953b1a3ad359928a1df44620b60331a2191

SHA512
ebf0b89fa8eedbc2ebbfe947b47924de418c8b95d53f29cefaa66f53f99ab1ba5dc2c5ef556dfc4d672ac5e944df254a37321afc9b1ba5efad13edb844719376

Download Submit
\Users\Admin\AppData\Local\Temp\1863139266\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\1863139266\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6a6e39fdab2d31dc159389e128aae80e

SHA1
0521d80aaecbe3c78081a77d31ea8ffe67f1839f

SHA256
13394a96ea583a89c7b0f263bf0c2742021859f58ebe5d36e314559e39614306

SHA512
7b884c764f5af25c32a97781965a0e5784b0be41cf584a6022b41a8801a2c64692ccf66f6240073c779544b7302674985e6e69cb26c3922d39afbc97d4e6e5d6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
faed3d48343aa6a8b7772fa04c4c86a7

SHA1
86dbf349cf097c5767e5a0d07960ecfd9af60043

SHA256
832d877feb1adebc9974b8e27c29e4600b51650bb174265df5f7816f0e5917d6

SHA512
e1e754275b13148d221b18420f39c758d0c3d1aaf90817088b752a88602138dcf73d4f9c5d1aa3e7db308c1e9e538f61b3a7b17ea12c1c514a12469b4fb6e43c

Download Submit
memory/536-118-0x0000000074611000-0x0000000074613000-memory.dmp

Filesize
8KB

Download
memory/536-98-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads