20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44

Analysis

max time kernel
206s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
Size

72KB
MD5

0546137e1b740f5aa4180462156ffaa1
SHA1

9bd5d5e795e99f32442003b6bc58557c232b789f
SHA256

20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44
SHA512

e326b9b6363e2cee840c5dc4c95d59c1e48cf634ac79cea71d1f0b808de3908a1b6c144a5b4da0cfb063733332bb4d84751cd9ceec4bb07a35916d93c253adb5
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2a:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPu

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
764	backup.exe
1400	System Restore.exe
916	backup.exe
1112	backup.exe
1696	backup.exe
112	backup.exe
876	backup.exe
1644	backup.exe
852	backup.exe
2020	backup.exe
596	backup.exe
1556	backup.exe
812	backup.exe
1792	backup.exe
1540	data.exe
1352	backup.exe
1080	System Restore.exe
876	backup.exe
1992	backup.exe
1952	backup.exe
828	backup.exe
744	backup.exe
1708	backup.exe
1932	backup.exe
1312	backup.exe
1988	backup.exe
1532	backup.exe
536	backup.exe
1296	backup.exe
1308	backup.exe
672	backup.exe
584	backup.exe
1656	backup.exe
1168	backup.exe
1780	backup.exe
1600	backup.exe
1628	backup.exe
560	backup.exe
1496	backup.exe
1504	backup.exe
324	backup.exe
1652	backup.exe
960	backup.exe
440	data.exe
1096	backup.exe
1052	backup.exe
1508	backup.exe
888	backup.exe
1992	backup.exe
2016	update.exe
1516	backup.exe
1920	backup.exe
1764	backup.exe
896	data.exe
1620	data.exe
932	backup.exe
1356	backup.exe
1932	backup.exe
1976	backup.exe
288	backup.exe
324	backup.exe
1960	backup.exe
1924	backup.exe
1640	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
1644	backup.exe
1644	backup.exe
852	backup.exe
852	backup.exe
1644	backup.exe
1644	backup.exe
596	backup.exe
596	backup.exe
1556	backup.exe
1556	backup.exe
596	backup.exe
596	backup.exe
1792	backup.exe
1792	backup.exe
1540	data.exe
1540	data.exe
1540	data.exe
1540	data.exe
596	backup.exe
596	backup.exe
1644	backup.exe
1644	backup.exe
1020	backup.exe
1020	backup.exe
1792	backup.exe
1792	backup.exe
1540	data.exe
1540	data.exe
1644	backup.exe
1644	backup.exe
1020	backup.exe
1792	backup.exe
1792	backup.exe
1020	backup.exe
1540	data.exe
596	backup.exe
596	backup.exe
1540	data.exe
1952	backup.exe
1952	backup.exe
744	backup.exe
744	backup.exe
876	backup.exe
876	backup.exe
1988	backup.exe
1988	backup.exe
1932	backup.exe
1932	backup.exe
1708	backup.exe
1532	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
764	backup.exe
1400	System Restore.exe
916	backup.exe
1112	backup.exe
1696	backup.exe
112	backup.exe
876	backup.exe
1644	backup.exe
852	backup.exe
2020	backup.exe
596	backup.exe
1556	backup.exe
812	backup.exe
1792	backup.exe
1540	data.exe
1352	backup.exe
932	backup.exe
1168	backup.exe
468	System Restore.exe
1916	System Restore.exe
1760	backup.exe
896	backup.exe
1616	backup.exe
1772	backup.exe
900	backup.exe
1488	backup.exe
948	backup.exe
1020	backup.exe
876	backup.exe
828	backup.exe
1992	backup.exe
744	backup.exe
1952	backup.exe
856	backup.exe
1928	backup.exe
1708	backup.exe
1988	backup.exe
1532	backup.exe
1932	backup.exe
1312	backup.exe
536	backup.exe
1296	backup.exe
1308	backup.exe
584	backup.exe
1976	backup.exe
1656	backup.exe
672	backup.exe
1168	backup.exe
1600	backup.exe
1780	backup.exe
560	backup.exe
1628	backup.exe
1496	backup.exe
316	backup.exe
324	backup.exe
960	backup.exe
440	data.exe
1052	backup.exe
1652	backup.exe
1412	backup.exe
1508	backup.exe
1096	backup.exe
888	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 764	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	28
PID 956 wrote to memory of 764	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	28
PID 956 wrote to memory of 764	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	28
PID 956 wrote to memory of 764	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	28
PID 956 wrote to memory of 1400	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	29
PID 956 wrote to memory of 1400	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	29
PID 956 wrote to memory of 1400	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	29
PID 956 wrote to memory of 1400	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	29
PID 956 wrote to memory of 916	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	30
PID 956 wrote to memory of 916	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	30
PID 956 wrote to memory of 916	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	30
PID 956 wrote to memory of 916	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	30
PID 956 wrote to memory of 1112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	31
PID 956 wrote to memory of 1112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	31
PID 956 wrote to memory of 1112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	31
PID 956 wrote to memory of 1112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	31
PID 956 wrote to memory of 1696	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	32
PID 956 wrote to memory of 1696	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	32
PID 956 wrote to memory of 1696	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	32
PID 956 wrote to memory of 1696	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	32
PID 956 wrote to memory of 112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	33
PID 956 wrote to memory of 112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	33
PID 956 wrote to memory of 112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	33
PID 956 wrote to memory of 112	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	33
PID 956 wrote to memory of 876	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	34
PID 956 wrote to memory of 876	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	34
PID 956 wrote to memory of 876	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	34
PID 956 wrote to memory of 876	956	20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe	34
PID 764 wrote to memory of 1644	764	backup.exe	35
PID 764 wrote to memory of 1644	764	backup.exe	35
PID 764 wrote to memory of 1644	764	backup.exe	35
PID 764 wrote to memory of 1644	764	backup.exe	35
PID 1644 wrote to memory of 852	1644	backup.exe	36
PID 1644 wrote to memory of 852	1644	backup.exe	36
PID 1644 wrote to memory of 852	1644	backup.exe	36
PID 1644 wrote to memory of 852	1644	backup.exe	36
PID 852 wrote to memory of 2020	852	backup.exe	37
PID 852 wrote to memory of 2020	852	backup.exe	37
PID 852 wrote to memory of 2020	852	backup.exe	37
PID 852 wrote to memory of 2020	852	backup.exe	37
PID 1644 wrote to memory of 596	1644	backup.exe	38
PID 1644 wrote to memory of 596	1644	backup.exe	38
PID 1644 wrote to memory of 596	1644	backup.exe	38
PID 1644 wrote to memory of 596	1644	backup.exe	38
PID 596 wrote to memory of 1556	596	backup.exe	39
PID 596 wrote to memory of 1556	596	backup.exe	39
PID 596 wrote to memory of 1556	596	backup.exe	39
PID 596 wrote to memory of 1556	596	backup.exe	39
PID 1556 wrote to memory of 812	1556	backup.exe	40
PID 1556 wrote to memory of 812	1556	backup.exe	40
PID 1556 wrote to memory of 812	1556	backup.exe	40
PID 1556 wrote to memory of 812	1556	backup.exe	40
PID 596 wrote to memory of 1792	596	backup.exe	41
PID 596 wrote to memory of 1792	596	backup.exe	41
PID 596 wrote to memory of 1792	596	backup.exe	41
PID 596 wrote to memory of 1792	596	backup.exe	41
PID 1792 wrote to memory of 1540	1792	backup.exe	42
PID 1792 wrote to memory of 1540	1792	backup.exe	42
PID 1792 wrote to memory of 1540	1792	backup.exe	42
PID 1792 wrote to memory of 1540	1792	backup.exe	42
PID 1540 wrote to memory of 1352	1540	data.exe	43
PID 1540 wrote to memory of 1352	1540	data.exe	43
PID 1540 wrote to memory of 1352	1540	data.exe	43
PID 1540 wrote to memory of 1352	1540	data.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe
"C:\Users\Admin\AppData\Local\Temp\20a8aef1b1da7251ea7f41cd3358ecab322a9e2347b4709bf7067014c45a3a44.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\1228708684\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1228708684\backup.exe C:\Users\Admin\AppData\Local\Temp\1228708684\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:852
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2020
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:596
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1556
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1792
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1820
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2072
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:584
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:288
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1576
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:960
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2016
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1412
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:520
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:584
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2080
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:744
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:560
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        
        PID:1652
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        
        PID:1992
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Executes dropped EXE
        
        PID:1356
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:324
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1096
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1420
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        System policy modification
        
        PID:520
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1620
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:572
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2104
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1504
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:932
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1348
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1616
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1048
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1920
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1488
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:1620
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1208
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1308
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1444
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:188
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1624
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1488
      - C:\Program Files\Internet Explorer\fr-FR\update.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2088
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:560
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1000
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2008
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2056
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:876
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:440
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1244
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1096
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1480
      - C:\Program Files (x86)\Common Files\Adobe\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\update.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:1008
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:2064
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1588
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2096
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1732
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1532
      - C:\Program Files (x86)\Google\Policies\data.exe
        
        "C:\Program Files (x86)\Google\Policies\data.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:1400
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1168
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2000
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1960
      - C:\Program Files (x86)\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\System Restore.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:972
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2036
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2024
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1708
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        
        PID:324
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:888
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1920
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1932
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Executes dropped EXE
        
        PID:1924
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1760
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1604
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        System policy modification
        
        PID:1756
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System policy modification
        
        PID:900
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2040
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:812
    - - C:\Users\Public\System Restore.exe
        
        "C:\Users\Public\System Restore.exe" C:\Users\Public\
        5⤵
        System policy modification
        
        PID:1636
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:2008
      - C:\Users\Public\Downloads\data.exe
        
        C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1208
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1532
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1052
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:768
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        System policy modification
        
        PID:1712
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1988
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1412
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1656
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:112
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
fd16691e20f06f9395bfb4fc615b995e

SHA1
4ef41e15415a30f0b44df3d6f1808645ec087203

SHA256
eccdf47bd19d3444d97e76fd64c4f96005c2beff9cd9812b8515622fe25c7c09

SHA512
872ae693e124df7839fd5f0f9144e7c4543c20dd9bda42378f07c75b45366ac434395d051dc69542d2bf448abcc9f9dd47740d1b1a486e6b0b5221b2c727d091

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e5fe73fa127a1a9f7c36983c73663b26

SHA1
4beda30bb7a08dbbee3cc47b2f7410131c9eb8a8

SHA256
0e52e2aa397b6d2a9d97630953cdcdf83e99578125804cafda063000866b064d

SHA512
670514ec77910bea43a563e35493b7c991dcd5104a7dbcd3db2e9d1aa2fb9c020915ba4ed4f9d7faa8925856cdb4648c45cc16149e98485f9036a76675bd8cb5

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
26c136c6bf2b5b610dd4b194337e6888

SHA1
18ba55822f43eab5f2a3ba71011fd5e700e705d1

SHA256
43e93b8addc241052807acaedffbaabdb61904dc784784e69f6d3837959a02fe

SHA512
bb6712412a6783b5e03d7d4370b339c69bf3a7ff7cac621378a98b00d1ac92f9922ade9980247145050c3540c79a3a4a96e940b8a5b442f99c02a88566c8fd33

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
26c136c6bf2b5b610dd4b194337e6888

SHA1
18ba55822f43eab5f2a3ba71011fd5e700e705d1

SHA256
43e93b8addc241052807acaedffbaabdb61904dc784784e69f6d3837959a02fe

SHA512
bb6712412a6783b5e03d7d4370b339c69bf3a7ff7cac621378a98b00d1ac92f9922ade9980247145050c3540c79a3a4a96e940b8a5b442f99c02a88566c8fd33

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13d4a41813a3a820d8415261a7ef0682

SHA1
15f41b2c8895056a5c4e4620f5c997161a530e6f

SHA256
4a5b19728e78a483afad52e09d09d469833a18ab39bc21b2f8819f743b143a99

SHA512
a3d52a0bb8af5192a9df617071ab94002133af04886a3cf98c72cd3b0bf2f6a83ae0e4b4cb15a97a7ee45653df98d77e5e229ebfa96f1a84bc67de95c8283db8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13d4a41813a3a820d8415261a7ef0682

SHA1
15f41b2c8895056a5c4e4620f5c997161a530e6f

SHA256
4a5b19728e78a483afad52e09d09d469833a18ab39bc21b2f8819f743b143a99

SHA512
a3d52a0bb8af5192a9df617071ab94002133af04886a3cf98c72cd3b0bf2f6a83ae0e4b4cb15a97a7ee45653df98d77e5e229ebfa96f1a84bc67de95c8283db8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1228708684\backup.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1228708684\backup.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e9e452b494240326314ec1d95088d391

SHA1
9a8ce80457c1c51ce07e61b30bdb3fd4261a8063

SHA256
82c11fecc90a5ab1a1900cbc23df8d35e4919a31ffefddd409a0c2e4215691fd

SHA512
db636bb856c15282bd4bf75e57732ccd7f4f2bcda383fef3750b3448b5a5e0a4baf6c05b3d97484dd2efad8bd5ead0f1330bdca3771651be95df3a30fc17a80c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e9e452b494240326314ec1d95088d391

SHA1
9a8ce80457c1c51ce07e61b30bdb3fd4261a8063

SHA256
82c11fecc90a5ab1a1900cbc23df8d35e4919a31ffefddd409a0c2e4215691fd

SHA512
db636bb856c15282bd4bf75e57732ccd7f4f2bcda383fef3750b3448b5a5e0a4baf6c05b3d97484dd2efad8bd5ead0f1330bdca3771651be95df3a30fc17a80c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
fd16691e20f06f9395bfb4fc615b995e

SHA1
4ef41e15415a30f0b44df3d6f1808645ec087203

SHA256
eccdf47bd19d3444d97e76fd64c4f96005c2beff9cd9812b8515622fe25c7c09

SHA512
872ae693e124df7839fd5f0f9144e7c4543c20dd9bda42378f07c75b45366ac434395d051dc69542d2bf448abcc9f9dd47740d1b1a486e6b0b5221b2c727d091

Download Submit
\Program Files (x86)\backup.exe

Filesize
72KB

MD5
fd16691e20f06f9395bfb4fc615b995e

SHA1
4ef41e15415a30f0b44df3d6f1808645ec087203

SHA256
eccdf47bd19d3444d97e76fd64c4f96005c2beff9cd9812b8515622fe25c7c09

SHA512
872ae693e124df7839fd5f0f9144e7c4543c20dd9bda42378f07c75b45366ac434395d051dc69542d2bf448abcc9f9dd47740d1b1a486e6b0b5221b2c727d091

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e5fe73fa127a1a9f7c36983c73663b26

SHA1
4beda30bb7a08dbbee3cc47b2f7410131c9eb8a8

SHA256
0e52e2aa397b6d2a9d97630953cdcdf83e99578125804cafda063000866b064d

SHA512
670514ec77910bea43a563e35493b7c991dcd5104a7dbcd3db2e9d1aa2fb9c020915ba4ed4f9d7faa8925856cdb4648c45cc16149e98485f9036a76675bd8cb5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e5fe73fa127a1a9f7c36983c73663b26

SHA1
4beda30bb7a08dbbee3cc47b2f7410131c9eb8a8

SHA256
0e52e2aa397b6d2a9d97630953cdcdf83e99578125804cafda063000866b064d

SHA512
670514ec77910bea43a563e35493b7c991dcd5104a7dbcd3db2e9d1aa2fb9c020915ba4ed4f9d7faa8925856cdb4648c45cc16149e98485f9036a76675bd8cb5

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e0cae463e57ff03df250d27587249cd6

SHA1
5f288b555dbb6083236fc0caf74752f362a8d860

SHA256
f7ad93ba0b21d2107018697fd669404001a33819de62f9a5b1a3914ba83b2abe

SHA512
887641bc1c9819c242d3b49be4ea6df31cb0240d2078b4b1c7331f3c2ea723b0224bf6f68af70b176d671390a5bfa352c22b815bca117ea1550051083b0b91d2

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
26c136c6bf2b5b610dd4b194337e6888

SHA1
18ba55822f43eab5f2a3ba71011fd5e700e705d1

SHA256
43e93b8addc241052807acaedffbaabdb61904dc784784e69f6d3837959a02fe

SHA512
bb6712412a6783b5e03d7d4370b339c69bf3a7ff7cac621378a98b00d1ac92f9922ade9980247145050c3540c79a3a4a96e940b8a5b442f99c02a88566c8fd33

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
26c136c6bf2b5b610dd4b194337e6888

SHA1
18ba55822f43eab5f2a3ba71011fd5e700e705d1

SHA256
43e93b8addc241052807acaedffbaabdb61904dc784784e69f6d3837959a02fe

SHA512
bb6712412a6783b5e03d7d4370b339c69bf3a7ff7cac621378a98b00d1ac92f9922ade9980247145050c3540c79a3a4a96e940b8a5b442f99c02a88566c8fd33

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
d56d070674f4a91cc2334d2e23081de9

SHA1
1a11144b97d21ae146f7e3e1c76e28e968cc8301

SHA256
bcf9cca15199ee989009048158f82c4b656bc5fc34acc3d818587d165e06aa93

SHA512
3ba699baa1a3d3ebc5782fdc44ce2d3c1bbd203961bdbbde14544f14d5e0bebcafe73d565b015ec1c0319c416075475f7684fd677246b3c8b375212d85463715

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
12231acb4185a8f1730bb00534def275

SHA1
c031b76d39cd0548b1cd86b19ea5b5d733807c33

SHA256
21c200702e135b9866dda3dc67be9529a5b17d07f04bdc80f6ecbbf017d5d7cf

SHA512
62b14f8e19a5a8321345048719fef3f83c2cbf2c119badbb6bdc5b2cfb449e403908715900620d0592713da0b02d469f2639d8fcd4fadfa0feaf2ceb7ab18268

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
12231acb4185a8f1730bb00534def275

SHA1
c031b76d39cd0548b1cd86b19ea5b5d733807c33

SHA256
21c200702e135b9866dda3dc67be9529a5b17d07f04bdc80f6ecbbf017d5d7cf

SHA512
62b14f8e19a5a8321345048719fef3f83c2cbf2c119badbb6bdc5b2cfb449e403908715900620d0592713da0b02d469f2639d8fcd4fadfa0feaf2ceb7ab18268

Download Submit
\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
9d69a27b7b4e2c7ed663f85aad0056cb

SHA1
a9a971111d23e8734b156dc4bf134e448213e2f8

SHA256
accef7f88fe94925d56f2ad41f2026185a28555887e53fac6ab561ea5cd6eed9

SHA512
5c949cebd46699a535fa87ba50a8491a40670d99f30acad9cd127320ed61b3c5501d3bdd0ae7d1581e0db69ecfaeddd3956bb387c234a4aa25219e8eae8f5a22

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13d4a41813a3a820d8415261a7ef0682

SHA1
15f41b2c8895056a5c4e4620f5c997161a530e6f

SHA256
4a5b19728e78a483afad52e09d09d469833a18ab39bc21b2f8819f743b143a99

SHA512
a3d52a0bb8af5192a9df617071ab94002133af04886a3cf98c72cd3b0bf2f6a83ae0e4b4cb15a97a7ee45653df98d77e5e229ebfa96f1a84bc67de95c8283db8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13d4a41813a3a820d8415261a7ef0682

SHA1
15f41b2c8895056a5c4e4620f5c997161a530e6f

SHA256
4a5b19728e78a483afad52e09d09d469833a18ab39bc21b2f8819f743b143a99

SHA512
a3d52a0bb8af5192a9df617071ab94002133af04886a3cf98c72cd3b0bf2f6a83ae0e4b4cb15a97a7ee45653df98d77e5e229ebfa96f1a84bc67de95c8283db8

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
72KB

MD5
e697a03e838402f50a5bef92d8e66487

SHA1
59234e6fde58a40e38c460e300dbbc7ddb2b425e

SHA256
3cf21b4c4dc1737670c1ef5245d392bda1c052d301c6610c837afdd137eecbf6

SHA512
42a3ec99acdc71c45472d22b188cd228553f4bc9d8a67dbcde07233b2420d475396ddae9b5eaddd0e1dc24d601cdf487ad7b9ce5b22665e037bbd15040b6228f

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
72KB

MD5
e697a03e838402f50a5bef92d8e66487

SHA1
59234e6fde58a40e38c460e300dbbc7ddb2b425e

SHA256
3cf21b4c4dc1737670c1ef5245d392bda1c052d301c6610c837afdd137eecbf6

SHA512
42a3ec99acdc71c45472d22b188cd228553f4bc9d8a67dbcde07233b2420d475396ddae9b5eaddd0e1dc24d601cdf487ad7b9ce5b22665e037bbd15040b6228f

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
58ba8ee152d990714ea7893e1140e1eb

SHA1
73b6d6aa2acb1a4a4d4ee66dc44e27824a354993

SHA256
e121237e9646cb9c08c29f46fa7bf8cfd6e66c17aa401ca6555a52c47934b0e3

SHA512
956a4739a218897b3190a21b349f041798946d37a6a37983137e2ed2caf2ef28a80dcc887bdfa77a29c3af9ea26abbd0e07f248e1bd4b217aab94fb578e6bc22

Download Submit
\Users\Admin\AppData\Local\Temp\1228708684\backup.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
\Users\Admin\AppData\Local\Temp\1228708684\backup.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\System Restore.exe

Filesize
72KB

MD5
200fd3628bde24ba94eea8ac961bbb1b

SHA1
a6bd325a1799d2dca5996e36b04468fb3ccfdd4c

SHA256
52653750048cece3d5d4c27b4658e83e92672a42e3d307a4940ae7b38a7123b1

SHA512
5b10ffb8ec0ac0310ad2cc0656c0133cd036e5c12bb48f7662883ebcc53e88ec51d7887d31a114279c75ec826687d36a6b91894016f3eaccab2ecec654d85b0b

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
176b93da86ae422ec241b5d744d35ef2

SHA1
44dedb7ca81dadfc2c3b062d58ddc0d7c3db7609

SHA256
9910651e57392107338a9414f073c3838eda7212be1345cb9c693c38a1273685

SHA512
d86e068f22efe3d628b18318aa04e8314a2d2f5155c88a6828819962830a4f865f7d2c579230bca653cdba9e942c1978b9f988d5c77dad0ee529348b9adcc6e7

Download Submit
memory/956-113-0x0000000074A21000-0x0000000074A23000-memory.dmp

Filesize
8KB

Download
memory/956-98-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads