6c1e861b60264c9a2b5eecc85e047292510753ad22ddb1e28b7554c39b57f2ed

Analysis

max time kernel
58s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a426a61bc83569cc2f96900478ca26d.exe
Size

72KB
MD5

0a426a61bc83569cc2f96900478ca26d
SHA1

7290b4b78b00f413906ca520d099b97c2bcb8c83
SHA256

6c1e861b60264c9a2b5eecc85e047292510753ad22ddb1e28b7554c39b57f2ed
SHA512

33f911015f01113d67c7ced57d316c23b7f35aeffb8781b8547c68a6f9c2f044befcc9a03caafef6e1cb59ac4226d49943360717fefe60a830c736fb768448d9
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2K:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrG

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0a426a61bc83569cc2f96900478ca26d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2788	backup.exe
2692	backup.exe
2768	System Restore.exe
2568	backup.exe
2916	backup.exe
2732	backup.exe
2592	backup.exe
2872	backup.exe
2944	backup.exe
460	backup.exe
2040	backup.exe
288	backup.exe
1052	backup.exe
2624	backup.exe
1644	backup.exe
1628	backup.exe
2252	backup.exe
3004	backup.exe
1116	backup.exe
1448	backup.exe
2460	backup.exe
400	backup.exe
676	backup.exe
3016	backup.exe
952	backup.exe
1340	backup.exe
2364	backup.exe
1456	backup.exe
836	System Restore.exe
1316	backup.exe
1996	backup.exe
1700	update.exe
2208	backup.exe
1612	backup.exe
2656	backup.exe
2784	backup.exe
2884	backup.exe
2780	backup.exe
2696	backup.exe
2764	backup.exe
2248	backup.exe
2640	backup.exe
3056	backup.exe
1480	backup.exe
2852	backup.exe
2036	backup.exe
796	backup.exe
1120	backup.exe
2652	backup.exe
1964	backup.exe
744	backup.exe
2844	backup.exe
288	backup.exe
580	backup.exe
732	System Restore.exe
2312	backup.exe
1540	backup.exe
2104	backup.exe
2268	backup.exe
2660	backup.exe
2096	backup.exe
620	backup.exe
2356	backup.exe
2452	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
1648	0a426a61bc83569cc2f96900478ca26d.exe
2872	backup.exe
2872	backup.exe
2944	backup.exe
2944	backup.exe
2872	backup.exe
2872	backup.exe
2040	backup.exe
2040	backup.exe
288	backup.exe
288	backup.exe
2040	backup.exe
2040	backup.exe
2624	backup.exe
2624	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
2252	backup.exe
836	System Restore.exe
836	System Restore.exe
836	System Restore.exe
836	System Restore.exe
836	System Restore.exe
1700	update.exe
1700	update.exe
1700	update.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\data.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\update.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	update.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	update.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	update.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	update.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	0a426a61bc83569cc2f96900478ca26d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1648	0a426a61bc83569cc2f96900478ca26d.exe
2788	backup.exe
2692	backup.exe
2768	System Restore.exe
2568	backup.exe
2916	backup.exe
2732	backup.exe
2592	backup.exe
2872	backup.exe
2944	backup.exe
460	backup.exe
2040	backup.exe
288	backup.exe
1052	backup.exe
2624	backup.exe
1644	backup.exe
1628	backup.exe
2252	backup.exe
3004	backup.exe
1116	backup.exe
1448	backup.exe
2460	backup.exe
400	backup.exe
676	backup.exe
3016	backup.exe
952	backup.exe
1340	backup.exe
2364	backup.exe
1456	backup.exe
836	System Restore.exe
1316	backup.exe
1996	backup.exe
1700	update.exe
2208	backup.exe
1612	backup.exe
2656	backup.exe
2784	backup.exe
2884	backup.exe
2780	backup.exe
2696	backup.exe
2764	backup.exe
2248	backup.exe
2640	backup.exe
3056	backup.exe
1480	backup.exe
2852	backup.exe
2036	backup.exe
796	backup.exe
1120	backup.exe
2652	backup.exe
1964	backup.exe
744	backup.exe
2844	backup.exe
288	backup.exe
580	backup.exe
732	System Restore.exe
2312	backup.exe
1540	backup.exe
2104	backup.exe
2268	backup.exe
2660	backup.exe
2096	backup.exe
620	backup.exe
2356	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2788	1648	0a426a61bc83569cc2f96900478ca26d.exe	211
PID 1648 wrote to memory of 2788	1648	0a426a61bc83569cc2f96900478ca26d.exe	211
PID 1648 wrote to memory of 2788	1648	0a426a61bc83569cc2f96900478ca26d.exe	211
PID 1648 wrote to memory of 2788	1648	0a426a61bc83569cc2f96900478ca26d.exe	211
PID 1648 wrote to memory of 2692	1648	0a426a61bc83569cc2f96900478ca26d.exe	210
PID 1648 wrote to memory of 2692	1648	0a426a61bc83569cc2f96900478ca26d.exe	210
PID 1648 wrote to memory of 2692	1648	0a426a61bc83569cc2f96900478ca26d.exe	210
PID 1648 wrote to memory of 2692	1648	0a426a61bc83569cc2f96900478ca26d.exe	210
PID 1648 wrote to memory of 2768	1648	0a426a61bc83569cc2f96900478ca26d.exe	205
PID 1648 wrote to memory of 2768	1648	0a426a61bc83569cc2f96900478ca26d.exe	205
PID 1648 wrote to memory of 2768	1648	0a426a61bc83569cc2f96900478ca26d.exe	205
PID 1648 wrote to memory of 2768	1648	0a426a61bc83569cc2f96900478ca26d.exe	205
PID 1648 wrote to memory of 2568	1648	0a426a61bc83569cc2f96900478ca26d.exe	209
PID 1648 wrote to memory of 2568	1648	0a426a61bc83569cc2f96900478ca26d.exe	209
PID 1648 wrote to memory of 2568	1648	0a426a61bc83569cc2f96900478ca26d.exe	209
PID 1648 wrote to memory of 2568	1648	0a426a61bc83569cc2f96900478ca26d.exe	209
PID 1648 wrote to memory of 2916	1648	0a426a61bc83569cc2f96900478ca26d.exe	142
PID 1648 wrote to memory of 2916	1648	0a426a61bc83569cc2f96900478ca26d.exe	142
PID 1648 wrote to memory of 2916	1648	0a426a61bc83569cc2f96900478ca26d.exe	142
PID 1648 wrote to memory of 2916	1648	0a426a61bc83569cc2f96900478ca26d.exe	142
PID 1648 wrote to memory of 2732	1648	0a426a61bc83569cc2f96900478ca26d.exe	30
PID 1648 wrote to memory of 2732	1648	0a426a61bc83569cc2f96900478ca26d.exe	30
PID 1648 wrote to memory of 2732	1648	0a426a61bc83569cc2f96900478ca26d.exe	30
PID 1648 wrote to memory of 2732	1648	0a426a61bc83569cc2f96900478ca26d.exe	30
PID 1648 wrote to memory of 2592	1648	0a426a61bc83569cc2f96900478ca26d.exe	97
PID 1648 wrote to memory of 2592	1648	0a426a61bc83569cc2f96900478ca26d.exe	97
PID 1648 wrote to memory of 2592	1648	0a426a61bc83569cc2f96900478ca26d.exe	97
PID 1648 wrote to memory of 2592	1648	0a426a61bc83569cc2f96900478ca26d.exe	97
PID 2788 wrote to memory of 2872	2788	backup.exe	136
PID 2788 wrote to memory of 2872	2788	backup.exe	136
PID 2788 wrote to memory of 2872	2788	backup.exe	136
PID 2788 wrote to memory of 2872	2788	backup.exe	136
PID 2872 wrote to memory of 2944	2872	backup.exe	135
PID 2872 wrote to memory of 2944	2872	backup.exe	135
PID 2872 wrote to memory of 2944	2872	backup.exe	135
PID 2872 wrote to memory of 2944	2872	backup.exe	135
PID 2944 wrote to memory of 460	2944	backup.exe	128
PID 2944 wrote to memory of 460	2944	backup.exe	128
PID 2944 wrote to memory of 460	2944	backup.exe	128
PID 2944 wrote to memory of 460	2944	backup.exe	128
PID 2872 wrote to memory of 2040	2872	backup.exe	127
PID 2872 wrote to memory of 2040	2872	backup.exe	127
PID 2872 wrote to memory of 2040	2872	backup.exe	127
PID 2872 wrote to memory of 2040	2872	backup.exe	127
PID 2040 wrote to memory of 288	2040	backup.exe	126
PID 2040 wrote to memory of 288	2040	backup.exe	126
PID 2040 wrote to memory of 288	2040	backup.exe	126
PID 2040 wrote to memory of 288	2040	backup.exe	126
PID 288 wrote to memory of 1052	288	backup.exe	124
PID 288 wrote to memory of 1052	288	backup.exe	124
PID 288 wrote to memory of 1052	288	backup.exe	124
PID 288 wrote to memory of 1052	288	backup.exe	124
PID 2040 wrote to memory of 2624	2040	backup.exe	34
PID 2040 wrote to memory of 2624	2040	backup.exe	34
PID 2040 wrote to memory of 2624	2040	backup.exe	34
PID 2040 wrote to memory of 2624	2040	backup.exe	34
PID 2624 wrote to memory of 1644	2624	backup.exe	32
PID 2624 wrote to memory of 1644	2624	backup.exe	32
PID 2624 wrote to memory of 1644	2624	backup.exe	32
PID 2624 wrote to memory of 1644	2624	backup.exe	32
PID 1644 wrote to memory of 1628	1644	backup.exe	31
PID 1644 wrote to memory of 1628	1644	backup.exe	31
PID 1644 wrote to memory of 1628	1644	backup.exe	31
PID 1644 wrote to memory of 1628	1644	backup.exe	31

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

C:\Users\Admin\AppData\Local\Temp\0a426a61bc83569cc2f96900478ca26d.exe
"C:\Users\Admin\AppData\Local\Temp\0a426a61bc83569cc2f96900478ca26d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  PID:2768
- - C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
    "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
    3⤵
    PID:2932
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Drops file in Program Files directory
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\2848149237\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2848149237\backup.exe C:\Users\Admin\AppData\Local\Temp\2848149237\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2252
- - C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1448
- - C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3016
- - C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:952
- - C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:676
- - C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1340
- - C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
    3⤵
    PID:2364
- - C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
    3⤵
    PID:1456
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:836
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1316
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
      4⤵
      PID:1996
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1700
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
      4⤵
      PID:1612
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
      4⤵
      PID:2656
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2784
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2884
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
      4⤵
      PID:2780
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
      4⤵
      PID:2208
- - C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2640
- - C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
    3⤵
    PID:3056
- - C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
    3⤵
    PID:1480
- - C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2652
- - C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
    3⤵
    PID:1964
- - C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:744
- - C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
    3⤵
    PID:288
  - - C:\Program Files\7-Zip\Lang\backup.exe
      "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1052
- - C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\System Restore.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:732
- - C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
    3⤵
    PID:2268
- - C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:620
- - C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2356
- - C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2096
- - C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:580
- - C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796
- - C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3004
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2452
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    PID:1932
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
    3⤵
    PID:1820
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
    3⤵
    PID:768
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
    3⤵
    PID:1832
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
    3⤵
    PID:972
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
    3⤵
    - System policy modification
    PID:2328
- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1456
- - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
    3⤵
    PID:2196
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
  2⤵
  - System policy modification
  PID:2484
- C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
  2⤵
  - System policy modification
  PID:2212
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1724
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
    3⤵
    PID:1608
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1612
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1532
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
    3⤵
    - Disables RegEdit via registry modification
    PID:2280
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
    3⤵
    - Disables RegEdit via registry modification
    PID:2712
- C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
  2⤵
  PID:1480
- - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:2904
  - - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
      4⤵
      PID:536
- C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops file in Program Files directory
  - System policy modification
  PID:2976

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files\Common Files\Services\backup.exe
  "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
  2⤵
  PID:796
- C:\Program Files\Common Files\SpeechEngines\backup.exe
  "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - System policy modification
  PID:1732
- - C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
    "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
    3⤵
    PID:2620
- C:\Program Files\Common Files\System\backup.exe
  "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
  2⤵
  - Drops file in Program Files directory
  PID:664
- - C:\Program Files\Common Files\System\ado\backup.exe
    "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
    3⤵
    - Drops file in Program Files directory
    PID:272
  - - C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe
      "C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files\Common Files\System\ado\de-DE\
      4⤵
      PID:680
  - - C:\Program Files\Common Files\System\ado\en-US\backup.exe
      "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:736
  - - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
      "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1680
  - - C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2064
  - - C:\Program Files\Common Files\System\ado\it-IT\data.exe
      "C:\Program Files\Common Files\System\ado\it-IT\data.exe" C:\Program Files\Common Files\System\ado\it-IT\
      4⤵
      PID:1676
  - - C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2288
- - C:\Program Files\Common Files\System\de-DE\backup.exe
    "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2992
- - C:\Program Files\Common Files\System\en-US\backup.exe
    "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
    3⤵
    - System policy modification
    PID:1528
- - C:\Program Files\Common Files\System\es-ES\backup.exe
    "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
    3⤵
    PID:1076
- - C:\Program Files\Common Files\System\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
    3⤵
    - System policy modification
    PID:1988
- - C:\Program Files\Common Files\System\it-IT\backup.exe
    "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
    3⤵
    PID:1708
- - C:\Program Files\Common Files\System\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3000
- - C:\Program Files\Common Files\System\msadc\backup.exe
    "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
    3⤵
    PID:1696
  - - C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
      "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:2472
  - - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
      "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1620
  - - C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
      "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
      4⤵
      System policy modification
      PID:2428
  - - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
      4⤵
      Disables RegEdit via registry modification
      PID:1008
  - - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
      "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1520
  - - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
      4⤵
      PID:2364
- - C:\Program Files\Common Files\System\Ole DB\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
    3⤵
    - Drops file in Program Files directory
    - System policy modification
    PID:1416
  - - C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:2216
  - - C:\Program Files\Common Files\System\Ole DB\en-US\System Restore.exe
      "C:\Program Files\Common Files\System\Ole DB\en-US\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
      4⤵
      PID:2176
  - - C:\Program Files\Common Files\System\Ole DB\es-ES\data.exe
      "C:\Program Files\Common Files\System\Ole DB\es-ES\data.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
      4⤵
      PID:840
  - - C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
      4⤵
      PID:2704
  - - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
      4⤵
      PID:2272
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2028
  - - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2656

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
1⤵
PID:2720

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:2880

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
1⤵
PID:2696

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
1⤵
PID:1208

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
1⤵
PID:2576

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
1⤵
PID:2636

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\DVD Maker\backup.exe
  "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
  2⤵
  PID:2796
- - C:\Program Files\DVD Maker\de-DE\backup.exe
    "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2680
- - C:\Program Files\DVD Maker\en-US\backup.exe
    "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2720
- - C:\Program Files\DVD Maker\es-ES\backup.exe
    "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
    3⤵
    PID:2736
- - C:\Program Files\DVD Maker\fr-FR\backup.exe
    "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
    3⤵
    PID:1992
- - C:\Program Files\DVD Maker\it-IT\backup.exe
    "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
    3⤵
    - System policy modification
    PID:2008
- - C:\Program Files\DVD Maker\ja-JP\backup.exe
    "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2576
- - C:\Program Files\DVD Maker\Shared\backup.exe
    "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
    3⤵
    - Drops file in Program Files directory
    - System policy modification
    PID:2584
  - - C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
      "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
      4⤵
      PID:2744
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        5⤵
        
        PID:2024
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        5⤵
        
        PID:2856
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1752
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1480
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        5⤵
        
        PID:2236
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        5⤵
        System policy modification
        
        PID:1160
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2960
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        5⤵
        
        PID:1624
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        5⤵
        System policy modification
        
        PID:1296
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        5⤵
        System policy modification
        
        PID:1796
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        5⤵
        
        PID:2148
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        5⤵
        
        PID:1816
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        5⤵
        
        PID:1556
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        5⤵
        
        PID:2968
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        5⤵
        
        PID:1916
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        5⤵
        System policy modification
        
        PID:2516
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        5⤵
        
        PID:680
- C:\Program Files\Google\backup.exe
  "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
  2⤵
  - System policy modification
  PID:988
- C:\Program Files\Internet Explorer\backup.exe
  "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:2220
- - C:\Program Files\Internet Explorer\de-DE\update.exe
    "C:\Program Files\Internet Explorer\de-DE\update.exe" C:\Program Files\Internet Explorer\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    PID:320
- - C:\Program Files\Internet Explorer\en-US\backup.exe
    "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
    3⤵
    PID:2292
- - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
    "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
    3⤵
    PID:544
- - C:\Program Files\Internet Explorer\fr-FR\backup.exe
    "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
    3⤵
    PID:2396
- - C:\Program Files\Internet Explorer\images\backup.exe
    "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
    3⤵
    PID:2368
- - C:\Program Files\Internet Explorer\it-IT\backup.exe
    "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
    3⤵
    PID:2148
- - C:\Program Files\Internet Explorer\ja-JP\backup.exe
    "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2000
- - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
    "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
    3⤵
    PID:2636
- C:\Program Files\Java\System Restore.exe
  "C:\Program Files\Java\System Restore.exe" C:\Program Files\Java\
  2⤵
  - Drops file in Program Files directory
  - System policy modification
  PID:1140
- - C:\Program Files\Java\jdk1.7.0_80\data.exe
    "C:\Program Files\Java\jdk1.7.0_80\data.exe" C:\Program Files\Java\jdk1.7.0_80\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3056
  - - C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
      4⤵
      PID:2536
  - - C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2860
    - - C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        5⤵
        
        PID:2052
    - - C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1020
  - - C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
      4⤵
      PID:2816
    - - C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        5⤵
        
        PID:2884
  - - C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
      4⤵
      PID:2352
  - - C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
      4⤵
      PID:2724
    - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        5⤵
        
        PID:288
- - C:\Program Files\Java\jre7\backup.exe
    "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
    3⤵
    - Drops file in Program Files directory
    PID:1992
  - - C:\Program Files\Java\jre7\bin\backup.exe
      "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
      4⤵
      System policy modification
      PID:2800
    - - C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        5⤵
        
        PID:296
    - - C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        5⤵
        
        PID:1516
    - - C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        5⤵
        
        PID:2196
  - - C:\Program Files\Java\jre7\lib\backup.exe
      "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
      4⤵
      PID:3000
- C:\Program Files\Microsoft Games\backup.exe
  "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1208
- - C:\Program Files\Microsoft Games\Chess\backup.exe
    "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
    3⤵
    PID:2640
- - C:\Program Files\Microsoft Games\FreeCell\backup.exe
    "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
    3⤵
    PID:1828
  - - C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
      4⤵
      PID:1356
- - C:\Program Files\Microsoft Games\Hearts\backup.exe
    "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
    3⤵
    PID:2736
- - C:\Program Files\Microsoft Games\Mahjong\backup.exe
    "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
    3⤵
    PID:2496
- - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
    "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
    3⤵
    PID:1956
- - C:\Program Files\Microsoft Games\More Games\backup.exe
    "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
    3⤵
    PID:2700
- - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
    "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
    3⤵
    PID:2240
- - C:\Program Files\Microsoft Games\Purble Place\backup.exe
    "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
    3⤵
    PID:2368
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  PID:2532
- C:\Program Files\Mozilla Firefox\update.exe
  "C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  PID:2772
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  PID:488
- C:\Program Files\Reference Assemblies\data.exe
  "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
  2⤵
  PID:1072
- C:\Program Files\VideoLAN\backup.exe
  "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
  2⤵
  PID:764
- C:\Program Files\Windows Defender\backup.exe
  "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
  2⤵
  PID:528
- C:\Program Files\Windows Journal\backup.exe
  "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
  2⤵
  PID:2324
- C:\Program Files\Windows Mail\backup.exe
  "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
  2⤵
  PID:1168

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:460

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2944

C:\backup.exe
\backup.exe \
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2872
- C:\Program Files (x86)\data.exe
  "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
  2⤵
  - Drops file in Program Files directory
  PID:1212
- - C:\Program Files (x86)\Adobe\System Restore.exe
    "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
    3⤵
    PID:604
  - - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
      4⤵
      Drops file in Program Files directory
      PID:1676
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1936
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2176
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        6⤵
        
        PID:3052
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        6⤵
        Drops file in Program Files directory
        
        PID:2912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        9⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:764
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1980
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2272
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:760
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2796
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2728
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2892
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2024
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        5⤵
        Drops file in Program Files directory
        
        PID:2744
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        6⤵
        
        PID:2668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2832
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        6⤵
        
        PID:320
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        6⤵
        System policy modification
        
        PID:824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        7⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        7⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        8⤵
        
        PID:2936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        9⤵
        
        PID:848
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        6⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        7⤵
        
        PID:744
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        5⤵
        
        PID:2128
      - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
- - C:\Program Files (x86)\Common Files\backup.exe
    "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
    3⤵
    - Drops file in Program Files directory
    PID:1968
  - - C:\Program Files (x86)\Common Files\Adobe\data.exe
      "C:\Program Files (x86)\Common Files\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\
      4⤵
      Disables RegEdit via registry modification
      PID:1456
    - - C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2928
    - - C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2948
      - C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        6⤵
        
        PID:1584
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        7⤵
        
        PID:288
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:780
    - - C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        5⤵
        
        PID:1008
  - - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:2792
    - - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        5⤵
        
        PID:1984
      - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        6⤵
        
        PID:688
  - - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
      "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
      4⤵
      PID:984
  - - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Common Files\Services\backup.exe
      "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
      4⤵
      PID:1144
  - - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
      "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
      4⤵
      PID:620
  - - C:\Program Files (x86)\Common Files\System\backup.exe
      "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
      4⤵
      PID:1580
- - C:\Program Files (x86)\Google\backup.exe
    "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2808
  - - C:\Program Files (x86)\Google\CrashReports\update.exe
      "C:\Program Files (x86)\Google\CrashReports\update.exe" C:\Program Files (x86)\Google\CrashReports\
      4⤵
      System policy modification
      PID:1352
  - - C:\Program Files (x86)\Google\Temp\backup.exe
      "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
      4⤵
      PID:2304
  - - C:\Program Files (x86)\Google\Update\backup.exe
      "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      System policy modification
      PID:1808
    - - C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        5⤵
        
        PID:1980
    - - C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        5⤵
        
        PID:1756
- - C:\Program Files (x86)\Internet Explorer\System Restore.exe
    "C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
    3⤵
    - System policy modification
    PID:2296
  - - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
      "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
      "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
      4⤵
      PID:2316
  - - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
      "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
      "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
      4⤵
      PID:2256
  - - C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
      "C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
      4⤵
      PID:972
  - - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
      "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
      4⤵
      PID:2608
  - - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
      "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
      4⤵
      PID:872
- - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
    "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
    3⤵
    PID:2984
- - C:\Program Files (x86)\Microsoft Office\backup.exe
    "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
    "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
    3⤵
    PID:1448
- - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
    "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
    3⤵
    PID:876
- - C:\Program Files (x86)\Microsoft Visual Studio 8\update.exe
    "C:\Program Files (x86)\Microsoft Visual Studio 8\update.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
    3⤵
    PID:1636
- - C:\Program Files (x86)\Microsoft.NET\backup.exe
    "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
    3⤵
    PID:2356
- C:\Users\System Restore.exe
  "C:\Users\System Restore.exe" C:\Users\
  2⤵
  - System policy modification
  PID:928
- - C:\Users\Admin\backup.exe
    C:\Users\Admin\backup.exe C:\Users\Admin\
    3⤵
    PID:1260
  - - C:\Users\Admin\Contacts\update.exe
      C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
      4⤵
      PID:2696
  - - C:\Users\Admin\Desktop\backup.exe
      C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:1912
  - - C:\Users\Admin\Documents\backup.exe
      C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
      4⤵
      Disables RegEdit via registry modification
      PID:1408
  - - C:\Users\Admin\Downloads\backup.exe
      C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
      4⤵
      PID:2268
  - - C:\Users\Admin\Favorites\backup.exe
      C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
      4⤵
      PID:2108
  - - C:\Users\Admin\Links\backup.exe
      C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
      4⤵
      PID:2564
  - - C:\Users\Admin\Music\backup.exe
      C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
      4⤵
      PID:792
  - - C:\Users\Admin\Pictures\backup.exe
      C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
      4⤵
      PID:1380
  - - C:\Users\Admin\Saved Games\backup.exe
      "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
      4⤵
      PID:2544
  - - C:\Users\Admin\Searches\backup.exe
      C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
      4⤵
      PID:1912
  - - C:\Users\Admin\Videos\update.exe
      C:\Users\Admin\Videos\update.exe C:\Users\Admin\Videos\
      4⤵
      PID:2268
- - C:\Users\Public\backup.exe
    C:\Users\Public\backup.exe C:\Users\Public\
    3⤵
    PID:2732
  - - C:\Users\Public\Documents\backup.exe
      C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
      4⤵
      PID:3024
  - - C:\Users\Public\Downloads\backup.exe
      C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
      4⤵
      PID:1960
  - - C:\Users\Public\Music\backup.exe
      C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
      4⤵
      PID:2260
  - - C:\Users\Public\Pictures\backup.exe
      C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
      4⤵
      PID:2020
- C:\Windows\update.exe
  C:\Windows\update.exe C:\Windows\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Drops file in Windows directory
  - System policy modification
  PID:2028
- - C:\Windows\addins\backup.exe
    C:\Windows\addins\backup.exe C:\Windows\addins\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2012
- - C:\Windows\AppCompat\backup.exe
    C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1624
- - C:\Windows\AppPatch\backup.exe
    C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
    3⤵
    - Disables RegEdit via registry modification
    - Drops file in Windows directory
    - System policy modification
    PID:2844
  - - C:\Windows\AppPatch\AppPatch64\backup.exe
      C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
      4⤵
      PID:2452
  - - C:\Windows\AppPatch\Custom\backup.exe
      C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
      4⤵
      PID:2664
  - - C:\Windows\AppPatch\de-DE\backup.exe
      C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
      4⤵
      PID:2300
  - - C:\Windows\AppPatch\en-US\backup.exe
      C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
      4⤵
      PID:2376
  - - C:\Windows\AppPatch\es-ES\backup.exe
      C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
      4⤵
      PID:2456
  - - C:\Windows\AppPatch\fr-FR\data.exe
      C:\Windows\AppPatch\fr-FR\data.exe C:\Windows\AppPatch\fr-FR\
      4⤵
      PID:2204
  - - C:\Windows\AppPatch\it-IT\backup.exe
      C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
      4⤵
      PID:2180
  - - C:\Windows\AppPatch\ja-JP\backup.exe
      C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
      4⤵
      PID:1148
- - C:\Windows\assembly\backup.exe
    C:\Windows\assembly\backup.exe C:\Windows\assembly\
    3⤵
    - Drops file in Windows directory
    - System policy modification
    PID:2540
  - - C:\Windows\assembly\GAC\backup.exe
      C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
      4⤵
      PID:1676
  - - C:\Windows\assembly\GAC_32\backup.exe
      C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
      4⤵
      PID:2952
  - - C:\Windows\assembly\GAC_64\backup.exe
      C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
      4⤵
      PID:1712
  - - C:\Windows\assembly\GAC_MSIL\backup.exe
      C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
      4⤵
      PID:1768
  - - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
      C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
      4⤵
      PID:1832
  - - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
      C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
      4⤵
      PID:2036
  - - C:\Windows\assembly\NativeImages_v4.0.30319_32\System Restore.exe
      "C:\Windows\assembly\NativeImages_v4.0.30319_32\System Restore.exe" C:\Windows\assembly\NativeImages_v4.0.30319_32\
      4⤵
      PID:920
- - C:\Windows\Branding\backup.exe
    C:\Windows\Branding\backup.exe C:\Windows\Branding\
    3⤵
    PID:1576
- - C:\Windows\CSC\backup.exe
    C:\Windows\CSC\backup.exe C:\Windows\CSC\
    3⤵
    PID:2900
- - C:\Windows\Cursors\backup.exe
    C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
    3⤵
    PID:1548
- - C:\Windows\debug\backup.exe
    C:\Windows\debug\backup.exe C:\Windows\debug\
    3⤵
    PID:2380
- - C:\Windows\de-DE\update.exe
    C:\Windows\de-DE\update.exe C:\Windows\de-DE\
    3⤵
    PID:2940
- - C:\Windows\DigitalLocker\backup.exe
    C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
    3⤵
    PID:1160
- - C:\Windows\Downloaded Program Files\backup.exe
    "C:\Windows\Downloaded Program Files\backup.exe" C:\Windows\Downloaded Program Files\
    3⤵
    PID:2372

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1548
- C:\Program Files\Google\Chrome\Application\System Restore.exe
  "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
1⤵
- Disables RegEdit via registry modification
PID:1704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
1⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\System Restore.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\System Restore.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
1⤵
- Modifies visibility of file extensions in Explorer
PID:2504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
1⤵
PID:1208

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
1⤵
PID:2612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:2024
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
  2⤵
  PID:2740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
6775ec9210810a4806c51624c1f227f9

SHA1
a08fe5ee21e4f264b6f3cd16a5b96d799c9e0a23

SHA256
042258f35302e2de15ffed2539af2b90aa6b3c1565dea9c6971e9f482db02d04

SHA512
f78412a6f3fd8b7f96b49b8204939ba1aa25ed11f2b430d42caa7a50498317b509af0d100f114f8cf6a24858a32ecf74db1711d48e829f42fdeb939c04543e02

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
72872dde7915c26e277f0c4acac03f7d

SHA1
0cae5a310c375df98daf596ea4f61d24f36fdd2b

SHA256
20ef91684a46d3419dbebcd7f8dfa9c6f21b7b28b564c2da693b1686f287c0f8

SHA512
73b32bc6daeb49fe68cbfe486599241121414b57ac820d70883bdca6dc62ebd420f43e0257e6573315fbe3cb0524938089f9fa9f7ebb51308a46e0c0f5680bfd

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
47e218866eae075ab7c00ff58626ff2f

SHA1
2c1a12b72acf13d41bca029ecaa2b19680340806

SHA256
24747accb53dba64ecd52f5997eb26d7af72e46adf04a0aaaa6ae3e95886e599

SHA512
c949176c565f6b0cd00fd980ba17f05b548df68f12ecf42aec6be931c203aefce84d5251986167357e3af7be34c235e4178e7ee5e4aa70aef5c025874165dc8c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
d0e016b7c7049e8d4cefbd6506ec5ebc

SHA1
8c6ad8c70748b56622d52b54118f8a7aa97145bb

SHA256
5a070a3af7f160be79e74700ae9fcadf197662331ad859a7d63a58a5a1782c12

SHA512
4e7f86bb4705589c07359c335fdf41baf0e112e8ea79a51f09766f98ccbe4263a7ab4af4baa6c62e28cf88ba8fe4b772c9a7a8185e17dfccdf432b46299b6da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2848149237\backup.exe

Filesize
72KB

MD5
a47feba23eea23fd28be341e635abcc1

SHA1
6bb0d2e103a229a5b2a113184d6dd747ce00ea32

SHA256
93900e2724fea7a8422259054411bb72598db76e242125597fa06b556252b32c

SHA512
a3d396338e44643ee862920f57f1bb5c7c4859804792310eea7de6f17c6fd102b9817c5c97a19d5dd0086d744c8aff75486a7cdea2fde3a267ac38547893bbc2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
2f736c89935d4949bea0ae2f6456e418

SHA1
bb27e037e0a014fb99e394cf130cc9614bf4fb00

SHA256
ed496209ed9bc08cf321c67337252fd900dfa5de883e6fdb692d52207c82edf6

SHA512
efec81c8d70f4393a0f9dde09ebd097406839d564648e45f8d3cc72dbf5fc8f465c264a57aa640187a64b921c028d7bc91cf8f06a53c14b6ac1dd2ba99272de8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
abbdd9304e10848ee5892c8b75af19b3

SHA1
ea477b93b230a7a95d152a7e8cd8b493a2c9a642

SHA256
e9956e08e7ed22c5529e29819c0c298942774fe966d4c5750493e88829edd6f5

SHA512
769ee9fac4a80be84d98015772d095fefafb7312b16dd25be9e698505b2dc76d4e42e2d3509a9f36bbe624f5cac7e98b8f40f0bcb4cbe42be9fb8aa737e083a7

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7cdc7b1028538c3e8e22671eeb3181bc

SHA1
329d0cc341eac18b1c360d4895f6ff410a2b08be

SHA256
3b93a07ccab4e18b6598860a06371e16299252f84602cce0359f9dbe193a39e1

SHA512
45aefc3970b79f9a82249c6de9cd1a4d6a098ab9a6b674d3dd82be740073b559d9a682f9b1d7d57a80843fee8caa8d56d3a08775035698bbbd081cefc4b2af16

Download Submit
memory/1648-77-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads