f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39

Analysis

max time kernel
148s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
Size

72KB
MD5

09122b7f3ce6e0789599d8ff2ba07534
SHA1

57295dbae20f7f050035721c7648f9a07bf6f2c1
SHA256

f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39
SHA512

5a7dcf5a03f0b7a2cf3b0cd27354ee20127d34be0297f56dfd02cd73529a431143ab66f09578384161d74d2173cb71b730f18490eef8d1e65e97e6de1195fe9f
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP3b:ieTce/U/hKYuKPr

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1952	backup.exe
1216	backup.exe
320	backup.exe
544	backup.exe
1716	backup.exe
1724	backup.exe
980	backup.exe
1324	backup.exe
1360	backup.exe
2040	backup.exe
672	backup.exe
2032	backup.exe
736	backup.exe
1628	backup.exe
1336	backup.exe
276	backup.exe
2016	backup.exe
1976	backup.exe
1168	backup.exe
988	backup.exe
472	backup.exe
1196	backup.exe
680	backup.exe
1704	backup.exe
560	backup.exe
1724	backup.exe
1068	backup.exe
1608	backup.exe
1712	backup.exe
1548	backup.exe
856	backup.exe
904	backup.exe
1900	backup.exe
1856	backup.exe
920	backup.exe
1876	backup.exe
1480	backup.exe
1332	backup.exe
2024	backup.exe
1000	backup.exe
436	backup.exe
1992	backup.exe
1544	backup.exe
1824	backup.exe
948	backup.exe
1996	backup.exe
840	backup.exe
1872	backup.exe
996	backup.exe
1728	backup.exe
1760	backup.exe
1164	backup.exe
1064	backup.exe
1764	backup.exe
1120	backup.exe
980	backup.exe
1616	data.exe
1568	backup.exe
1660	System Restore.exe
1672	backup.exe
1520	backup.exe
2040	backup.exe
888	backup.exe
2004	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1324	backup.exe
1324	backup.exe
1360	backup.exe
1360	backup.exe
1324	backup.exe
1324	backup.exe
672	backup.exe
672	backup.exe
2032	backup.exe
2032	backup.exe
672	backup.exe
672	backup.exe
1628	backup.exe
1628	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
1336	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe
1712	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
1952	backup.exe
1216	backup.exe
320	backup.exe
544	backup.exe
1716	backup.exe
1724	backup.exe
980	backup.exe
1324	backup.exe
1360	backup.exe
2040	backup.exe
672	backup.exe
2032	backup.exe
736	backup.exe
1628	backup.exe
1336	backup.exe
276	backup.exe
2016	backup.exe
1976	backup.exe
1168	backup.exe
988	backup.exe
472	backup.exe
1196	backup.exe
680	backup.exe
1704	backup.exe
560	backup.exe
1724	backup.exe
1068	backup.exe
1608	backup.exe
1712	backup.exe
1548	backup.exe
856	backup.exe
904	backup.exe
1900	backup.exe
1856	backup.exe
920	backup.exe
1876	backup.exe
1480	backup.exe
1332	backup.exe
2024	backup.exe
1000	backup.exe
436	backup.exe
1992	backup.exe
1544	backup.exe
1824	backup.exe
948	backup.exe
1996	backup.exe
840	backup.exe
1872	backup.exe
996	backup.exe
1728	backup.exe
1760	backup.exe
1164	backup.exe
1064	backup.exe
1764	backup.exe
1120	backup.exe
980	backup.exe
1616	data.exe
1568	backup.exe
1660	System Restore.exe
1672	backup.exe
1520	backup.exe
2040	backup.exe
888	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1952	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	26
PID 1364 wrote to memory of 1952	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	26
PID 1364 wrote to memory of 1952	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	26
PID 1364 wrote to memory of 1952	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	26
PID 1364 wrote to memory of 1216	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	27
PID 1364 wrote to memory of 1216	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	27
PID 1364 wrote to memory of 1216	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	27
PID 1364 wrote to memory of 1216	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	27
PID 1364 wrote to memory of 320	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	28
PID 1364 wrote to memory of 320	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	28
PID 1364 wrote to memory of 320	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	28
PID 1364 wrote to memory of 320	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	28
PID 1364 wrote to memory of 544	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	29
PID 1364 wrote to memory of 544	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	29
PID 1364 wrote to memory of 544	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	29
PID 1364 wrote to memory of 544	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	29
PID 1364 wrote to memory of 1716	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	30
PID 1364 wrote to memory of 1716	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	30
PID 1364 wrote to memory of 1716	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	30
PID 1364 wrote to memory of 1716	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	30
PID 1364 wrote to memory of 1724	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	31
PID 1364 wrote to memory of 1724	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	31
PID 1364 wrote to memory of 1724	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	31
PID 1364 wrote to memory of 1724	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	31
PID 1364 wrote to memory of 980	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	32
PID 1364 wrote to memory of 980	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	32
PID 1364 wrote to memory of 980	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	32
PID 1364 wrote to memory of 980	1364	f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe	32
PID 1952 wrote to memory of 1324	1952	backup.exe	33
PID 1952 wrote to memory of 1324	1952	backup.exe	33
PID 1952 wrote to memory of 1324	1952	backup.exe	33
PID 1952 wrote to memory of 1324	1952	backup.exe	33
PID 1324 wrote to memory of 1360	1324	backup.exe	34
PID 1324 wrote to memory of 1360	1324	backup.exe	34
PID 1324 wrote to memory of 1360	1324	backup.exe	34
PID 1324 wrote to memory of 1360	1324	backup.exe	34
PID 1360 wrote to memory of 2040	1360	backup.exe	35
PID 1360 wrote to memory of 2040	1360	backup.exe	35
PID 1360 wrote to memory of 2040	1360	backup.exe	35
PID 1360 wrote to memory of 2040	1360	backup.exe	35
PID 1324 wrote to memory of 672	1324	backup.exe	36
PID 1324 wrote to memory of 672	1324	backup.exe	36
PID 1324 wrote to memory of 672	1324	backup.exe	36
PID 1324 wrote to memory of 672	1324	backup.exe	36
PID 672 wrote to memory of 2032	672	backup.exe	37
PID 672 wrote to memory of 2032	672	backup.exe	37
PID 672 wrote to memory of 2032	672	backup.exe	37
PID 672 wrote to memory of 2032	672	backup.exe	37
PID 2032 wrote to memory of 736	2032	backup.exe	38
PID 2032 wrote to memory of 736	2032	backup.exe	38
PID 2032 wrote to memory of 736	2032	backup.exe	38
PID 2032 wrote to memory of 736	2032	backup.exe	38
PID 672 wrote to memory of 1628	672	backup.exe	39
PID 672 wrote to memory of 1628	672	backup.exe	39
PID 672 wrote to memory of 1628	672	backup.exe	39
PID 672 wrote to memory of 1628	672	backup.exe	39
PID 1628 wrote to memory of 1336	1628	backup.exe	40
PID 1628 wrote to memory of 1336	1628	backup.exe	40
PID 1628 wrote to memory of 1336	1628	backup.exe	40
PID 1628 wrote to memory of 1336	1628	backup.exe	40
PID 1336 wrote to memory of 276	1336	backup.exe	41
PID 1336 wrote to memory of 276	1336	backup.exe	41
PID 1336 wrote to memory of 276	1336	backup.exe	41
PID 1336 wrote to memory of 276	1336	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe
"C:\Users\Admin\AppData\Local\Temp\f81c5b49f20bd885ca59212f5d4aa7d180c54027cbff25a99cadd8794f039c39.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\3571136243\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3571136243\backup.exe C:\Users\Admin\AppData\Local\Temp\3571136243\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1952
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1360
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:672
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2032
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:736
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1628
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1000
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1296
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:660
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1532
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1520
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:2016
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:436
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:276
        
        C:\Program Files\Common Files\System\ado\update.exe
        
        "C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        System policy modification
        
        PID:1732
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1760
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:560
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1520
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:572
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1888
        
        C:\Program Files\Common Files\System\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1300
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:828
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1528
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1948
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:368
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1176
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1468
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1648
      - C:\Program Files\DVD Maker\de-DE\data.exe
        
        "C:\Program Files\DVD Maker\de-DE\data.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1148
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1936
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1944
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1992
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1964
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1372
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1260
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:812
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1708
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1768
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1468
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1120
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1620
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1056
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:2008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2028
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1644
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1412
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:1912
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        System policy modification
        
        PID:360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1972
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:2008
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:524
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1340
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:856
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2032
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1868
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1856
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1248
      - C:\Program Files\Internet Explorer\en-US\data.exe
        
        "C:\Program Files\Internet Explorer\en-US\data.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:828
      - C:\Program Files\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files\Internet Explorer\es-ES\update.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1568
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1688
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1624
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1480
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1356
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1028
    - - C:\Program Files\Microsoft Games\update.exe
        
        "C:\Program Files\Microsoft Games\update.exe" C:\Program Files\Microsoft Games\
        5⤵
        System policy modification
        
        PID:1736
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1408
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1684
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:888
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Disables RegEdit via registry modification
        
        PID:924
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:2036
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:360
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:948
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1100
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1936
    - - C:\Program Files\VideoLAN\data.exe
        
        "C:\Program Files\VideoLAN\data.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1196
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:980
    - - C:\Program Files (x86)\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:684
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        
        PID:1680
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:660
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1684
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1400
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:1744
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1936
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1300
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        System policy modification
        
        PID:1740
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1652
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1360
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1388
      - C:\Program Files (x86)\Common Files\System\data.exe
        
        "C:\Program Files (x86)\Common Files\System\data.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1816
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:904
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:2044
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1708
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1076
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1716
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:1548
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:736
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1740
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\System Restore.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:584
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1260
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        
        PID:1224
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1412
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1628
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:988
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:920
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8ad48c4e83279f3532f8200c957558e1

SHA1
69814e278b2143439570317d2352be0e27115d07

SHA256
5044bfac3a4da8659c5cab9acb19e1c29714382b2f3baf9c95ef3d0b9101e1b5

SHA512
ef7754e8b34f2da960b53e24c40b2f284ad6bb9d4b65414a42dc2eb09d66aab498fad8096572996c77a4c5731d443b0ad4f1d97c2d4a38913d8180806a273834

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
29cdf327e091d0b38f1aa9d8dc5975fd

SHA1
5c9f5cd78695afc181e55708149f2764f5650062

SHA256
4c41aa4c48c975e6d0cee1852e29bf0c90af43497546eaddb15ce5b4ae63570a

SHA512
8f12a2920a11292b02f9feac023a5cca32f292a7f35158f9d3ad590ed3bcde067044e27a689b3b78af3249010664c6727402bfed0b55b02e745b7acb7d1b1e7e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
29cdf327e091d0b38f1aa9d8dc5975fd

SHA1
5c9f5cd78695afc181e55708149f2764f5650062

SHA256
4c41aa4c48c975e6d0cee1852e29bf0c90af43497546eaddb15ce5b4ae63570a

SHA512
8f12a2920a11292b02f9feac023a5cca32f292a7f35158f9d3ad590ed3bcde067044e27a689b3b78af3249010664c6727402bfed0b55b02e745b7acb7d1b1e7e

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
885692bf8bab2dcaeb6335130dbb7a58

SHA1
a0bec22b8a0995df28b59e8586ae41893ab5245a

SHA256
814dd284250132ff51e4debd8e0c71e4890b40a1f4728657e13948f4b9638efc

SHA512
d60b7dac84629774e07899440ddf5d860eef2946893b0abbe9c4bceb0d3a2af6cde7270b43787260a7be21a3f215fa3c41d2645a44e1fc9d2d75b4fd48fa47ad

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
09c659cea3199ee27940a3f27fe23626

SHA1
9ab6ca9984761b217742f1eca3c3aad14f0abcd7

SHA256
1b7fb729e71a048c1eb2d3dadfe8b6201e4c7403b27ec9976a504c1ad47be8a5

SHA512
4169209ac761882fdb1a99d81bfd81a37311596aedf878fa4c28689ec49a149e59df973b5455d5d7cf85050ccc34f9252f87e2bf8adbd8318b52f06c0883032a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
09c659cea3199ee27940a3f27fe23626

SHA1
9ab6ca9984761b217742f1eca3c3aad14f0abcd7

SHA256
1b7fb729e71a048c1eb2d3dadfe8b6201e4c7403b27ec9976a504c1ad47be8a5

SHA512
4169209ac761882fdb1a99d81bfd81a37311596aedf878fa4c28689ec49a149e59df973b5455d5d7cf85050ccc34f9252f87e2bf8adbd8318b52f06c0883032a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
a41765e92f880c277614c316301f3c6a

SHA1
abda6c8322a72997458bd6ea8747f18d6a640797

SHA256
9c36377da21071edc01b2a5c33e198be7c6708ea6f815b78a12b364101a3dbd0

SHA512
e2e11c0585536286da1184a2370baef44c2e014dc962fe2f01569fb543c8cd3d00d2617e10f55674918b0c7420d7aa45a05107b338e26e08fdefabc01617584e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
a41765e92f880c277614c316301f3c6a

SHA1
abda6c8322a72997458bd6ea8747f18d6a640797

SHA256
9c36377da21071edc01b2a5c33e198be7c6708ea6f815b78a12b364101a3dbd0

SHA512
e2e11c0585536286da1184a2370baef44c2e014dc962fe2f01569fb543c8cd3d00d2617e10f55674918b0c7420d7aa45a05107b338e26e08fdefabc01617584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3571136243\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3571136243\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
C:\backup.exe

Filesize
72KB

MD5
b7027b6ebe7ad320bf83f9a5d027aa52

SHA1
1c04457218595a38d8c4bdc91ea4188eccd67f34

SHA256
b4e7aebb67bdbba40db8271bc4cee2a1c8a3eb61663d24a60ea802e397d3b0c1

SHA512
11b621017f53bf3b5bca1b3447223b966552544b88d196bb799eb91b450335e355fdfe46bb852afa53d80942ecc3e257d1faea6b3f3f3ae90e7dabb0141c8af5

Download Submit
C:\backup.exe

Filesize
72KB

MD5
b7027b6ebe7ad320bf83f9a5d027aa52

SHA1
1c04457218595a38d8c4bdc91ea4188eccd67f34

SHA256
b4e7aebb67bdbba40db8271bc4cee2a1c8a3eb61663d24a60ea802e397d3b0c1

SHA512
11b621017f53bf3b5bca1b3447223b966552544b88d196bb799eb91b450335e355fdfe46bb852afa53d80942ecc3e257d1faea6b3f3f3ae90e7dabb0141c8af5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8ad48c4e83279f3532f8200c957558e1

SHA1
69814e278b2143439570317d2352be0e27115d07

SHA256
5044bfac3a4da8659c5cab9acb19e1c29714382b2f3baf9c95ef3d0b9101e1b5

SHA512
ef7754e8b34f2da960b53e24c40b2f284ad6bb9d4b65414a42dc2eb09d66aab498fad8096572996c77a4c5731d443b0ad4f1d97c2d4a38913d8180806a273834

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8ad48c4e83279f3532f8200c957558e1

SHA1
69814e278b2143439570317d2352be0e27115d07

SHA256
5044bfac3a4da8659c5cab9acb19e1c29714382b2f3baf9c95ef3d0b9101e1b5

SHA512
ef7754e8b34f2da960b53e24c40b2f284ad6bb9d4b65414a42dc2eb09d66aab498fad8096572996c77a4c5731d443b0ad4f1d97c2d4a38913d8180806a273834

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
29cdf327e091d0b38f1aa9d8dc5975fd

SHA1
5c9f5cd78695afc181e55708149f2764f5650062

SHA256
4c41aa4c48c975e6d0cee1852e29bf0c90af43497546eaddb15ce5b4ae63570a

SHA512
8f12a2920a11292b02f9feac023a5cca32f292a7f35158f9d3ad590ed3bcde067044e27a689b3b78af3249010664c6727402bfed0b55b02e745b7acb7d1b1e7e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
29cdf327e091d0b38f1aa9d8dc5975fd

SHA1
5c9f5cd78695afc181e55708149f2764f5650062

SHA256
4c41aa4c48c975e6d0cee1852e29bf0c90af43497546eaddb15ce5b4ae63570a

SHA512
8f12a2920a11292b02f9feac023a5cca32f292a7f35158f9d3ad590ed3bcde067044e27a689b3b78af3249010664c6727402bfed0b55b02e745b7acb7d1b1e7e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
885692bf8bab2dcaeb6335130dbb7a58

SHA1
a0bec22b8a0995df28b59e8586ae41893ab5245a

SHA256
814dd284250132ff51e4debd8e0c71e4890b40a1f4728657e13948f4b9638efc

SHA512
d60b7dac84629774e07899440ddf5d860eef2946893b0abbe9c4bceb0d3a2af6cde7270b43787260a7be21a3f215fa3c41d2645a44e1fc9d2d75b4fd48fa47ad

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
885692bf8bab2dcaeb6335130dbb7a58

SHA1
a0bec22b8a0995df28b59e8586ae41893ab5245a

SHA256
814dd284250132ff51e4debd8e0c71e4890b40a1f4728657e13948f4b9638efc

SHA512
d60b7dac84629774e07899440ddf5d860eef2946893b0abbe9c4bceb0d3a2af6cde7270b43787260a7be21a3f215fa3c41d2645a44e1fc9d2d75b4fd48fa47ad

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
6762edd000eed344a4fb6c796a6651f2

SHA1
a80a40fc82a1d7e179acda0ba9005c802e1dd733

SHA256
90bc0d82269b377f3d3ef250ea02b057b7a46af9dd7c86b027f248c1a75dad25

SHA512
0293dc77fe6e151e834dcf9f7d7dfad0c6504d14e4b81a0b8df728850bbda285f2fe931d5bd015d0cfca1fba1483f44467339bee224070a8ec34dd52dbc45535

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
09c659cea3199ee27940a3f27fe23626

SHA1
9ab6ca9984761b217742f1eca3c3aad14f0abcd7

SHA256
1b7fb729e71a048c1eb2d3dadfe8b6201e4c7403b27ec9976a504c1ad47be8a5

SHA512
4169209ac761882fdb1a99d81bfd81a37311596aedf878fa4c28689ec49a149e59df973b5455d5d7cf85050ccc34f9252f87e2bf8adbd8318b52f06c0883032a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
09c659cea3199ee27940a3f27fe23626

SHA1
9ab6ca9984761b217742f1eca3c3aad14f0abcd7

SHA256
1b7fb729e71a048c1eb2d3dadfe8b6201e4c7403b27ec9976a504c1ad47be8a5

SHA512
4169209ac761882fdb1a99d81bfd81a37311596aedf878fa4c28689ec49a149e59df973b5455d5d7cf85050ccc34f9252f87e2bf8adbd8318b52f06c0883032a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
faac361d9a8f6d348726078cb7f96cc1

SHA1
1cf7f4375db0e1abe3d1daef01d3469badcecbdd

SHA256
7d9e7c3777c238c3f233cb8946ef9faf4cd45074b7127569b908df1863f0f420

SHA512
5f6c0c3f7c51191b2d65cf075f11a7060d1272b56eb3981410973410edbe1fe7c390d875414e2c8170fb2d0b63ac95b2ca9482c2d16473d5adacbb7127129dff

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eefb74b67bec15926a6e32b002989cef

SHA1
b0205ede119c5774fa165ad66f2dc5e090a703a9

SHA256
3e85d39d19912e63eae8dda3e23c104da9f48d1f9b6ec10ce9ab3b670bf6cde5

SHA512
c204b71d5950a08d94a091d29588de66a1409892cde10f321ac4c55a946f5b1c6d17c58178205a5c4cb5d9f1b49635d16173ab2333d4fc3f56421f7bede47035

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
a41765e92f880c277614c316301f3c6a

SHA1
abda6c8322a72997458bd6ea8747f18d6a640797

SHA256
9c36377da21071edc01b2a5c33e198be7c6708ea6f815b78a12b364101a3dbd0

SHA512
e2e11c0585536286da1184a2370baef44c2e014dc962fe2f01569fb543c8cd3d00d2617e10f55674918b0c7420d7aa45a05107b338e26e08fdefabc01617584e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
a41765e92f880c277614c316301f3c6a

SHA1
abda6c8322a72997458bd6ea8747f18d6a640797

SHA256
9c36377da21071edc01b2a5c33e198be7c6708ea6f815b78a12b364101a3dbd0

SHA512
e2e11c0585536286da1184a2370baef44c2e014dc962fe2f01569fb543c8cd3d00d2617e10f55674918b0c7420d7aa45a05107b338e26e08fdefabc01617584e

Download Submit
\Users\Admin\AppData\Local\Temp\3571136243\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
\Users\Admin\AppData\Local\Temp\3571136243\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
1f19fee3fe3996a7c43238cbec209302

SHA1
6f4e784421c72c72bda40118ccd3217188c49c31

SHA256
0570b5e690736854326480f0a7028ebb2dfb5cfebc7800c42d9161fac519a032

SHA512
f806265db3234b99d5e348de14ce34cc414ed1b15a02e81bafa25f2a30ea2d8ed4ea9da63ef1ce95bc3e31d77a512c18847456d243b4e3134681b1a57c515fad

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c166dd5c35bc9bfa9ff77a1a53a09e6c

SHA1
526c093f182ef3d47846a015d8005c71b467346e

SHA256
79fe68935db228e32e83a1c556aa700db28b892accb4bac97cf8ca4f47ca1244

SHA512
5621ddd34b87c073c467ac3611c9ff2b70f9cff9b29073e81d8a5ed6d1380f34e92b81257b33160cb6b75a5fcc8b5af02ab3b17bb880ea5f10897ae1fa592f28

Download Submit
memory/1364-98-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1364-118-0x0000000074591000-0x0000000074593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads